DPIA template (Data Protection Impact Assessment) — template GDPR Art. 35

See our article DPIA. Mandatory on high risk (Art. 35): systematic evaluation with automated decision + legal effect, large-scale special data, systematic monitoring of public space, or one of AP's 17 DPIA-list applications. Mandatory content (Art. 35(7)): (a) systematic processing description, (b) necessity + proportionality, (c) risk analysis for data subjects, (d) mitigating measures. Template elements: project name, controller, DPO involvement, purpose + basis, data types + retention, processors, international transfer, risk matrix (likelihood × impact), mitigating measures, residual risk evaluation, conclusion + signature. Prior consultation (Art. 36): if residual risks remain high, you MUST consult the DPA in advance — DPA has 8 weeks (14 weeks on complex). AP template: AP has published a free Excel + Word DPIA template. SIVON has sector-specific DPIA templates for education. Who does DPIA? Controller, with advice from DPO (Art. 39(1)(c)). For complex cases (AI, biometric, large-scale healthcare): external DPIA expert often needed. Fines for missing: Art. 83(4) — up to €10m / 2%. AP enforcement 2023-2025 was strict on missing DPIAs in retail, insurance, HR monitoring.