DATA PROTECTION : Template for Data Protection Impact Assessement (DPIA)

Public Consultation until 9 June 2026

A ready-to-use templates DPIA for organisations

Eléonore Scaramozzino, Avocate Constellation Avocats

On 2 July 2025, the European Data Protection Board adopted The Helsinki Statement on enhanced clarity, support and engagement. The EDPB members agreed on new initiatives to facilitate easier GDPR compliance, to enhance the dialogue with a broad range of stakeholders, to strengthen consistency and to develop cross-regulatory cooperation in the new digital regulatory landscape. The EDPB noted the importance to adopt new tools  to help make GDPR application easier.

The template for Data Protection Impact Assessments (DPIA) adopted by the EDPB, will help organisations structure, harmonise and evidence their DPIA reporting processes. It can be used as a data entry for DPIA documenting and reporting. Controllers can benefit from pre-defined fields that prompt
complete and structured responses. Designed for ease of use, such template ensures that all
necessary information is captured accurately, while minimizing errors and saving time.

A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. A DPIA may be mandatory or there may be reasons that, in the opinion of the controller, make the DPIA necessary or beneficial.

The analysis of the processing contains i) an analysis of the legal basis of the processing carried out in relation to each of the purposes of the processing, including secondary or compatible purposes. If special categories of data are processed, iti is required to justify the lifting of the prohibition on processing special categories of data ; ii) a documentation on data minimisation, retention periods, and data quality and iii) a list of measures supporting compliance with GDPR requirements.

These compliance measures must be discussed by the Controller on their appropriateness and effectiveness.

The impacts of the processing on the rights and freedoms of data subjects

Impact is the consequences that can be expected from the threat materialisation, always considering data subject’s rights and freedoms (see recital 75 GDPR, for example). These impacts must assess on its necessity and its proportionality. The Controller must explain how the threats that the planned processing (as it has been designed and is projected to be implemented, including technical, legal/contractual and organisational measures to mitigate risk) poses to the rights and freedoms of the data subjects can be materialised and identify their impacts and all possible risk sources. These are risks that exist even if everything works exactly as designed and all actors follow the rules.

i) Assess the necessity of the processing : Evaluate if the envisaged processing is effective and the least intrusive for the data subject’s rights and freedoms. Analyse if the processing demonstrably works as intended, at least to the appropriate or required level.

ii) Assess the proportionality of the processing : Discuss the importance of the processing and its potential benefits for the data subject, the organization and collectively (the balance advantage/disadvantage, benefit/cost).

Risk assessment and management

A risk is a scenario describing an event (the threat materialisation) and its consequences.
The risk level expresses the extent to which data subjects are affected by the
corresponding threat and typically a function of: (i) the likelihood of the threat
materialisation; and (ii) the magnitude of the adverse impacts that would arise if the threat
materialises (severity). Estimate the likelihood and severity of all the identified risks to the
rights and freedoms of data subjects.

A risk source is the origin or underlying cause from which a threat can materialise. Typical
examples in this context are software bugs, misconfigurations, wrong access rights,
operational errors (sending data to the wrong recipient, wrong dataset used, forgotten
de-provisioning), lack of maintenance (unpatched vulnerabilities, outdated components),
insider abuse (staff exceeding their authorised use) or external attacks (phishing,
ransomware).

Explain the details of the method followed to assess and manage risk. Provide the
information necessary to understand and interpret the following aspects: likelihood and
severity levels and their meanings (often a 2 to 5 levels scale is used), risk metrics, how
risks are prioritised, risk acceptance levels, etc. If an established method is used, provide
the link to the external source introducing this method.

Involvement of interested parties

DPO’s advices : The DPO provides opinion, conclusions and recommendations concerning the envisaged processing

Where appropriate, the data subjects or their representatives provide opinion, conclusions and recommendations concerning the envisaged processing.

edpb_dpia_template_2026_v1_en.docx