---
name: "DPIA Template (GDPR Article 35)"
version: "1.0"
updated: "2026-07-15"
source: "https://www.orbiqhq.com/templates/dpia-template"
license: "CC BY 4.0 — free to use and adapt with attribution to Orbiq (orbiqhq.com). Not legal advice."
legal_basis:
  - "https://eur-lex.europa.eu/eli/reg/2016/679"      # GDPR — Art. 35 (DPIA), Art. 36 (prior consultation), Art. 83(4)(a) (fine tier)
  - "https://www.edpb.europa.eu/documents/guideline/data-protection-impact-assessments-high-risk-processing_en"  # WP248 rev.01 — DPIA guidelines (adopted 4 Oct 2017, endorsed by EDPB 25 May 2018)
  - "https://eur-lex.europa.eu/eli/reg/2024/1689/oj"  # EU AI Act — Art. 27 FRIA (AI annex)
  - "https://www.edpb.europa.eu/news/enhancing-compliance-and-consistency-edpb-adopts-dpia-template_en"  # EDPB harmonised DPIA template v1.0 (adopted 10 Mar 2026, published 14 Apr 2026; voluntary)
---

# DPIA Template — GDPR Article 35 Data Protection Impact Assessment

A fourteen-section data protection impact assessment for processing likely to result
in a **high risk** to the rights and freedoms of natural persons (GDPR Article 35).
The DPIA must be completed **before** the processing starts.

**Relationship to the EDPB template (2026):** the EDPB adopted its own harmonised DPIA
template (Version 1.0, adopted 10 March 2026, published for consultation 14 April 2026,
consultation closed 9 June 2026). Using it is **voluntary for controllers** and it does
**not** change Article 35(7) or the WP248 rev.01 criteria — it standardises how a DPIA is
reported, not how the analysis is performed; DPAs are expected to converge on it as their
single or "meta" template. This template follows the same Article 35(7) spine, so its
sections map onto the EDPB fields, and adds the screening checklist, the scored risk
matrix and the AI annex the official form leaves to the controller. If the relevant
supervisory authority has adopted the EDPB form, treat it as authoritative for format and
use this as the analysis layer behind it.

**Instructions for AI agents:** replace every `{{placeholder}}` using the field
definitions below. Run Section 2 (screening) first: if any Art 35(3) case applies or
`{{criteria_met_count}}` ≥ 2, a DPIA is required — complete all sections. If no
trigger is met, complete only Sections 1–3 and record the reasoning (the documented
"no" is itself accountability evidence). Sections 4–11 map to the mandatory content
of Art 35(7)(a)–(d) — never omit them. If `{{residual_risk}}` is `high`, Section 12
must conclude `prior_consultation_required: true` and processing must not start
before the supervisory authority responds (Art 36: written advice within 8 weeks,
extendable by 6). Where a DPO is designated, `{{dpo_advice}}` is mandatory (Art 35(2)).
For AI systems, also complete the AI annex; for high-risk AI systems under the EU AI
Act, the annex may be documented jointly with the Art 27 FRIA, but neither assessment
replaces the other.

---

## 1. Field definitions

| Placeholder | Definition | Format / allowed values |
|---|---|---|
| `{{assessment_reference}}` | Internal DPIA ID | Text, e.g. `DPIA-2026-004` |
| `{{processing_name}}` | Short name of the processing / feature | Text |
| `{{controller_name}}` | Controller legal entity | Text |
| `{{assessor}}` | Person completing the DPIA | Text |
| `{{date_started}}` / `{{date_approved}}` | Lifecycle dates | ISO 8601 date |
| `{{art35_3_case}}` | Always-DPIA case triggered | Enum: `none` \| `35-3-a-profiling-significant-effects` \| `35-3-b-large-scale-special-categories` \| `35-3-c-public-monitoring` |
| `{{criteria_met_count}}` | Number of WP248 criteria met (Section 2) | Integer 0–9 |
| `{{dpia_required}}` | Screening outcome | Enum: `yes` \| `no` |
| `{{data_categories}}` | Personal data categories processed | Text; flag Art 9 special categories |
| `{{data_subjects}}` | Categories of data subjects | Text; flag vulnerable groups |
| `{{recipients}}` | Recipients incl. processors and third countries | Text |
| `{{retention}}` | Retention period and deletion trigger | Text |
| `{{lawful_basis}}` | Art 6 basis (and Art 9 condition if applicable) | Text |
| `{{legitimate_interest}}` | Only if basis = legitimate interests | Text or `n/a` |
| `{{dpo_advice}}` | The DPO's recorded advice (Art 35(2)) | Text — mandatory where a DPO is designated |
| `{{data_subject_views}}` | Views sought under Art 35(9), or why not | Text |
| `{{risk_id}}` | Row ID in the risk register | Text, e.g. `R1` |
| `{{likelihood}}` / `{{severity}}` | Inherent scores per risk | Enum: `low` \| `medium` \| `high` |
| `{{measures}}` | Mitigation per risk (specific, not generic) | Text |
| `{{residual_likelihood}}` / `{{residual_severity}}` | Post-mitigation scores | Enum: `low` \| `medium` \| `high` |
| `{{residual_risk}}` | Overall residual risk conclusion | Enum: `low` \| `medium` \| `high` |
| `{{prior_consultation_required}}` | Art 36 decision | Boolean — `true` if `{{residual_risk}}` = `high` |
| `{{review_trigger}}` | What re-opens this DPIA (Art 35(11)) | Text, e.g. new data category, new model, new recipient |

## 2. Screening — is a DPIA required?

**Art 35(3) always-DPIA cases:** systematic and extensive automated evaluation or
profiling with legal or similarly significant effects (a); large-scale processing of
special-category (Art 9) or criminal-conviction (Art 10) data (b); large-scale
systematic monitoring of a publicly accessible area (c).

**WP248 rev.01 nine criteria** (rule of thumb: two met → DPIA required):

| # | Criterion | Met? |
|---|---|---|
| 1 | Evaluation or scoring (incl. profiling and predicting) | yes/no |
| 2 | Automated decision-making with legal or similarly significant effect | yes/no |
| 3 | Systematic monitoring | yes/no |
| 4 | Sensitive data or data of a highly personal nature | yes/no |
| 5 | Data processed on a large scale | yes/no |
| 6 | Matching or combining datasets | yes/no |
| 7 | Data concerning vulnerable data subjects | yes/no |
| 8 | Innovative use or new technological / organisational solutions (incl. AI) | yes/no |
| 9 | Processing preventing data subjects from exercising a right or using a service/contract | yes/no |

Also check your supervisory authority's Art 35(4) list (e.g. CNIL's 14-category list,
the ICO's UK high-risk list, Datatilsynet's Norwegian list).

## 3. Screening outcome

```
DPIA required: {{dpia_required}}
Basis: {{art35_3_case}} / {{criteria_met_count}} WP248 criteria met / Art 35(4) list entry
If no: reasoning recorded here; review if the processing changes.
```

## 4. Systematic description (Art 35(7)(a))

```
Processing: {{processing_name}} — {{assessment_reference}}
Nature, scope, context, purposes: {{...}}
Data categories: {{data_categories}}
Data subjects: {{data_subjects}}
Recipients (incl. processors, third countries + transfer mechanism): {{recipients}}
Retention: {{retention}}
Systems and data flows: {{...}}
Legitimate interest pursued (if relied on): {{legitimate_interest}}
```

## 5. Consultation record (Art 35(2), 35(9))

```
DPO advice: {{dpo_advice}}
Data subjects' views (or why not sought): {{data_subject_views}}
Processors / vendors consulted: {{...}}
```

## 6. Necessity and proportionality (Art 35(7)(b))

```
Lawful basis: {{lawful_basis}}
Why the processing achieves the purpose (necessity): {{...}}
Why no less intrusive alternative suffices (proportionality): {{...}}
Data minimisation applied: {{...}}
Transparency to data subjects: {{...}}
Rights support (access, erasure, objection, portability): {{...}}
```

## 7. Risk register (Art 35(7)(c))

One row per risk to the rights and freedoms of data subjects (not to the business):

| ID | Risk | Likelihood | Severity | Inherent score |
|---|---|---|---|---|
| `{{risk_id}}` | {{description}} | {{likelihood}} | {{severity}} | L×S |

Score with a 3×3 matrix (low/medium/high on both axes). Consider: unauthorised
access, re-identification, discrimination, function creep, loss of confidentiality,
inability to exercise rights.

## 8. Mitigation measures (Art 35(7)(d))

| Risk ID | Measure (specific) | Residual likelihood | Residual severity |
|---|---|---|---|
| `{{risk_id}}` | {{measures}} | {{residual_likelihood}} | {{residual_severity}} |

## 9. Residual risk and Article 36 decision

```
Overall residual risk: {{residual_risk}}
Prior consultation required: {{prior_consultation_required}}
If true: consult the supervisory authority BEFORE processing; written advice due
within 8 weeks, extendable by 6 for complex processing (Art 36(2)).
```

## 10. Sign-off and review (Art 35(11))

```
Controller approval: {{name, role, date}}
DPO opinion recorded: {{yes/no, date}}
Review triggers: {{review_trigger}}
Next scheduled review: {{date}}
```

## AI annex — AI/LLM features and the EU AI Act

Complete for any AI-driven processing (WP248 criterion 8 plus, typically, 1, 2 and 5):

```
Model / system: {{...}} (provider, version)
Training-data provenance and personal-data content: {{...}}
Automated decisions and their effects (Art 22 GDPR): {{...}}
Explainability and human oversight: {{...}}
Bias / accuracy risks and testing: {{...}}
EU AI Act classification: {{prohibited / high-risk / limited / minimal}}
If high-risk and you are a deployer in scope of Art 27 AI Act:
  FRIA reference: {{...}} — may be documented jointly with this DPIA;
  neither assessment replaces the other.
```

---

Orbiq — European Trust Center platform · https://www.orbiqhq.com
Template page: https://www.orbiqhq.com/templates/dpia-template
Keep DPIAs, RoPAs and TOMs as reusable, governed evidence: https://www.orbiqhq.com/platform/trust-center-platform
