1. Template for DPIA (EN)
Page: 1
Data Protection Impact Assessment (DPIA)
pursuantto Art. 35 GDPR, Recitals 84, 89, 90, 91, 92
Title of the project: Title
Initial creation of DPIA: DD.MM.YYYY by Name Surname
Last check: DD.MM.YYYY by Name Surname
Next check due: DD.MM.YYYY
The sections in gray, like this one, are meantto provide “in document” guidance on how to use this template.In
general spaces where you are to insertinformation
Contents
1. Project 2
2. Need for a data protection impact assessment 2
3. Description of the (planned) processing 3
3.1. Overview / summary / visual 3
3.2. Scope of the processing 4
3.3. Nature of the processing 4
3.4. Context of the processing 5
3.5. Purpose of the processing 5
4. Check of purpose of the processing v legal framework 5
4.1. (Business) purpose(s) for processing the personal data 5
4.2. Link of the purpose with the basis for legitimate processing 6
4.3. Check of the necessity and proportionality of the processing 7
5. Assessment of the (inherent) risks for the data subjects 8
6. Data protection by Design 9
6.1. General 9
6.2. Specific measures 9
7. Assessment of the (residual) risks for the data subjects 9
8. Involvement of the data protection authority 9
8. Concluding remarks 10
2. Template for DPIA (EN)
Page: 2
1. Project
This chapter allows for a tie in with the project in which the data processing is looked at, either to be developed or
to be changed.This is nota mandatorychapter in a DPIA,but helps to putthe DPIA in the larger business operations
context of the organisation.
Please, give the official references and a short description of the project, as the case
may be – to avoid redundancy - by referring to relevant documents such as the project
charter or a process description.
2. Need for a data protectionimpact assessment
A data protection impactassessmentis considered necessarywhen a data processing operation is “likely to result
in a high risk to the rights and freedoms of natural persons” (art. 35 §1 GDPR). This is assumed to be the case in
case of (art. 35 §3 GDPR)
● a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated
processing, including profiling, and on which decisions arebased that produce legal effects concerning the naturalperson
or similarly significantly affect the natural person
● processing on a large scale of special categories of data referred to in Article 9(1) (e.g. racial or ethnic origin, health data,
political opinions, religious beliefs, or trade union membership), or of personal data relating to criminal convictions and
offences referred to in Article 10 GDPR
● a systematic monitoring of a publicly accessible area on a large scale
This is elaborated by the data protection authorities to:
● Evaluation or scoring
● Automated decision-making with significant effects
● Systematic monitoring
● Processing of sensitive data or data of a highly personal nature
● Processing on a large scale
● Processing of data concerning vulnerable data subjects
● Innovative technological or organisational solutions
● Processing preventing data subjects from exercising a right or using a service or contract
● Data transfer across borders outside the European Union
Detailed explanations can be found in the guidelines provided in WP248 of theArticle 29 Working Party which were endorsed
by the EDPB.
Note that the ”rights and freedoms of natural persons” that may be at risk are not only privacy (in the broad sense
including self-development) and data protection, but also such rights and freedoms as the right to life, the right to
bodily integrity and the right not to be discriminated against.
There is a / no risk to the rights and freedoms of natural persons due to
[Please, indicate what risks you have identified (with some brief explanation), e.g.]
- Privacy of the individuals (data subjects), including reputational damage or the
inability to access services or opportunities
- Data protection of the individuals (data subjects), including loss of confidentiality
- Identity theft
- Inability to exercise one’s rights
- Discrimination of the individuals (data subjects)
- Retaliation against the individuals (data subjects)
- Bodily harm to the individuals (data subjects)
- Threat of life for the individuals (data subjects)
3. Template for DPIA (EN)
Page: 3
We think the risk to the rights and freedoms of natural persons is (not) high due to
[Please, give reasons why DPIA is needed (or not), e.g.]
● Person data being transferred around the globe
● Processing of vulnerable data subjects, e.g. workers in a potentially dangerous
situation
● Processing of sensitive data (e.g. racial or ethnical origin, health data, political
opinions, religious beliefs, or trade union membership)
● Processing for which it is impossible or unlikely that the data subject will
exercise their data subject rights (against the organisation)
If the conclusion is that the risk to the rights and freedoms of natural persons is NOT high, such should be argued.
In that case the data processing operation nevertheless needs to be notified to the data protection officer (or in its absence the
legal office) to ensure that it is registered in the data processing register (art. 30 GDPR), which requires a description of the
data processing anyway.
If this DPIA is completed and provided to the data protection officer (or in its absence thelegal office), they will ensure that
the data processing is inserted in the data processing register based on the information in this DPIA.
3. Description ofthe (planned)processing
This section aims to address the requirement to insert “a systematic description of the envisaged processing
operations and the purposes of the processing” in the DPIA (art. 35 §7 a GDPR).
Remember that processing is broadly defined as “any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means, such as collection, recording,
organisation,structuring, storage, adaptation or alteration, retrieval, consultation,use,disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (art. 4
(2) GDPR).
The goal is to have a good view on the data processing.The (sub-)sections are merelythere in supportthereof. If
the description works better and is still complete through another formator presentation,the (sub-) sections can be
suppressed.
3.1. Overview / summary / visual
This section allows to provide an overview of the processing end-to-end in a single summary description, ideally
with a visual of the data flows. The idea is to give the reader of this DPIA a global idea of the data processing
without having to read the details in the other (sub-)sections of this chapter 2.
[Please, give an overview of the data processing, as the case may be supported by a
visual depiction of the data flows.]
3.2. Scope of the processing
This section allows to provide information on the scope of the processing, in other words what the processing
covers. Such includes the categoryofthe personal data,the volume and varietyof the personal data,the sensitivity
of the personal data,the extent and frequencyof the processing,the duration ofthe process ing,the number ofdata
subjects involved, the geographical area covered,…
4. Template for DPIA (EN)
Page: 4
[Please, define the scope of data processing, e.g. with the following sections:]
(a) Data subjects in scope
a. types of data subjects in scope
b. estimated volume of data subjects in scope
(b) Personal data in scope
a. categories of personal data in scope
b. estimated volume of data (points) per data subject in scope
(c) Temporal scope
a. frequency of data updates
b. (longest) data retention
(d) Geographical scope
(e) Personal scope (parties involved)
a. Controller
b. Processor
3.3. Nature of the processing
This section allows to provide information on the nature of the processing,in other words what we plan to do with
the personal data. Such includes:how we collectthe data, how we store the data, how we use the data, who has
access to the data, who we share the data with, whether we use any processors, retention periods, security
measures (so-called technical and organisational measures), whether we are using any new technologies (AI,
blockchain,etc.), whether we are using any novel types of processing,which screening criteria have been flagged
as likely high risk,…
[Please, define the nature of data processing, e.g. with the following sections:]
(a) Data collection
a. Who collects?
b. Where does the collection happen (geographically)?
c. How is it collected?
d. From who is it collected? (source: data subject, third party, data
broker,…)
(b) Data storage
a. Who stores / is responsible for the storage?
b. Where is it stored (geographically, “in the cloud”)?
(c) Access to the data
a. Who (parties or categories of recipients) will have direct access to the
data?
b. Who (parties or categories of recipients) will the data be shared with?
(d) Data use (in the broadest sense)
a. Who will do what with the data?
(e) Security of the processing
(f) Data destruction
5. Template for DPIA (EN)
Page: 5
3.4. Context of the processing
This section allows to provide information on the context of the processing, in other words the wider picture,
including internal and external factors which mightaffect expectations or impact.Such includes:the source of the
data,the nature ofour relationshipwith the individuals (data subjects),the extentto which individuals (data subjects)
have control over their data, the extent to which individuals (data subjects) are likely to expect the processing,
whether they include children or other vulnerable people,any previous experience of this type of processing,any
relevant advances in technology or security, any current issues of public concern, whether any data protection
codes of conduct or certification schemes will be complied with (once any have been approved), whether relevant
codes of practice have been considered and complied with, …
Reference is made to the project description in chapter 1 of this document.
[Please, define the further context of data processing, should such be relevant.]
3.5. Purpose of the processing
The purpose of the processing is the reason why we want to process the personal data.Such includes:a legal
obligation,a contractual obligation (ofours or third parties we technicallyor organisationallysupport),an interestof
the organisationor its members,the intended outcome for individuals (data subjects),the expected benefits for the
organisation or society as a whole,…
Reference is made to chapter 4 of this document.
4. Check of purpose ofthe processing v legalframework
This section aims to address the requirement to insert “(a systematic description of) (…) the purposes of the
processing” and “an assessmentof the necessity and proportionality ofthe processing operations in relation to the
purposes” in the DPIA (art. 35 §7 a and b GDPR).
The purpose bound nature of processing is a basic principle of the data protection legislation (art. 5 §1 b GDPR):
personal data mustonly“be collected for specified,explicitand legitimate purposes and notfurther processed in a
manner that is incompatible with those purposes”.
4.1. (Business) purpose(s) for processing the personal data
[Please, define the (business) purpose(s) of data processing e.g. new or change to
existing service for the customers, digitalisation of an existing HR process for payroll
administratie,… ]
4.2. Link of the purpose with the basis for legitimate processing
Lawful processing is a basic principle of the data protection legislation (art. 5 §1 a GDPR). It is expressed for all
data processing and with additional requirements / restrictions for processing of special categories of data and
transfer of data outside of the EU.
(1) General basis for legitimate processing
This section focusses on the application ofone of the six general basis for legitimate processing mentioned in art.
6 §1 GDPR, mainly: (a) consentof the data subject(with special attention for the requirements for and weakness
of such consent(art. 7 and 8 GDPR), (b) performance ofa contract to which the data subjectis party or in order to
take steps at the requestof the data subjectprior to entering into a contract, (c) compliance with a legal obli gation
6. Template for DPIA (EN)
Page: 6
to which the controller is subject(careful aboutlegal obligations outside ofEU),and (d) legitimate interests pursued
by the controller or by a third party, except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of personal data.
[Please, determine the (main) legal basis for the (different) processing (operations) of
all personal data in scope by referring to one of the legal bases and explaining how it
applies in this case, so]
(a) In case of consent: demonstrate how consent is retrieved and can be proven
(b) In case of a contract: reference to the (draft / template) contract
(c) In case of a legal obligation: reference to the source of the legal obligation, as
the case may be the joint reading of multiple provisions
(d) In case of a legitimate interest: make the interest(s) explicit and prepare to
explain in depth in section 4.3 how the individual rights of the data subjects are
not overriding that (those) interest(s)
(2) Basis for legitimate processing in case of special categories of data
If and when special categories of data are processed, such requires an additional basis for legitimate processing
(art. 9 and 10 GDPR). The categories of data referred to are in particular “data revealing racial or ethnic origin,
political opinions,religious or philosophical beliefs,or trade union membership,and the processing ofgenetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning
a natural person's sex life or sexual orientation”,and “data relating to criminal convictions and offences or related
security measures”.For the latter categorywe should onlyprocess those ifthere is a legal basis for such processing.
Note that beyond that specific legal provision mayspecificallyprotectother categories ofdata, such as cardholder
data ( (e.g. PCI-DSS) or other financial data,national register numbers,social securitynumbers or other identifiers
of general use by the government or other bodies, ...
[Please, determine the (main) legal basis for the (different) processing (operations) of
special categories of personal data in scope by referring to one of the legal bases and
explaining how it applies in this case, so for example]
(a) In case of a legal obligation: reference to the source of the legal obligation, as
the case may be the joint reading of multiple provisions
(b) In case of a explicit consent: reference to the (draft / template) contract
(c) In case of establishment, exercise or defence of legal claims: the reference to
the type of legal claims and the parties to the claim (claimant and defendant)
(3) Basis for legitimate processing in case of transfer outside of EU
This section focusses on the application ofthree main mechanisms to supportstructural transfers ofpersonal data
outside of the EU, namely (a) the countries involved are considered to provide equivalent or adequate data
protection (art. 45 GDPR + website EC), (b) standard contractual clauses (art. 46 §2 c and d io. 93 §2 GDPR +
website EC),or (c) binding corporate rules (art.47 GDPR + website EDPB).Only for “one off” / occasionaltransfers
can the derogations be looked at (art. 49 GDPR).
Note that at leastsince the so-called Schrems IIdecision (C-311/18) the transfer ofpersonal data outside ofthe EU
also requires an analysis of the legal system in the receiving countries to assess the data protection risk for the
7. Template for DPIA (EN)
Page: 7
data subjects and to develop measures (like encryption and contractual arrangement) thatkeep the data protecti on
risk (for the data subjects) low. Only in case of an adequacy decision (art. 45 GDPR) such is not required.
[Please, define the (business) purpose(s) of data processing e.g. new or change to
existing service for the customers, digitalisation of an existing HR process for payroll
administratie,… ]
(4) Local law legitimacy requirement
This section allows for insertion of local law that may apply, especially outside of the EU.
[OR We are not aware of any local law that in addition needs to be applied to come to
a legitimate processing of the information.]
[OR The following local law was brought to our attention and has the following impact
for the legitimate processing of the information: (…)]
4.3. Check of the necessity and proportionality of the processing
(1) Necessity of the processing
In each of the basis for legitimate processing there is a necessitywording,i.e. only the necessarydata processing
can be legitimized. By consequence only the necessary processing can lawfully be performed.
[Please, argue that and how all processing described is necessary in reaching the
purposes defined.]
(2) Data minimisation
Data minimisation is a basic principleofthe data protection legislation (art.5 §1 c GDPR): personal data must(only)
processed ifitis “adequate,relevantand limited to what is necessary in relation to the purposes for which they are
processed”.In other words only the minimum amountofrelevant data should be processed and such assessment
should in principle be applied at each stage of the end-to-end process.
[Please, argue that and how only the minimum amount of relevant data is to be
processed.]
(3) Avoidance of “function creep”
Function creep is the situation where data processed for one (bundle of) purposes is (later) reused for other
purposes, mainly because “we have the data anyway”.
[Please, argue that and how function creep is avoided.]
8. Template for DPIA (EN)
Page: 8
(4) Only need-to-know access
A limitation ofthe access to the data to only those people and parties thathave a need-to-know is an application of
the proportionality principle (art. 5 §1 f, 28, 29 and 32 GDPR).
[Please, argue that and how the (relevant) data is only accessible by / shared with
people with a need to know. Note that in principle the parties involved will be in more
detail be mentioned in section 3.3.]
(5) Time limitation (“storage limitation”)
Storage limitation is a basic principleofthe data protection legislation (art.5 §1 e GDPR): personal data must(only)
processed ifitis “keptin a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed”. In other words: data should only be kept if there is a
demonstrable (legal) obligation (e.g.in supportof accounting) or need to keep it (e.g. to demonstrate execution of
an agreement),and no overriding (legal) obligation to destroy the data (e.g. a legal maximum retention period).If
there is no longer a need to keep the data, it will be hard to argue longer retention.
[Please, argue that and how the (relevant) data is kept for as long as needed. Note
that in principle the retention period is mentioned in section 3.3.]
5. Assessment of the (inherent) risks for the data subjects
A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35
§7 c GDPR).
Reference is made to section 2 for the (preliminary assessment of the inherent risks
for the data subjects).
[The reference above can suffice in some cases. This here is just an opportunity, but
no need, to elaborate more extensively on the risks you have identified in section 2.
You may do that by going through some “worst case” scenarios which impact the data
subjects and for each of them determining the (worst) possible impact of the data
subject and the probability for such an impact to realise itself, thus resulting in a risk
score. Scenarios to consider are: breach of confidentiality (e.g. the data is published
on a wikileaks like website, in possession of a bad actor, or shared with a foreign
government), breach of integrity (the data is knowingly or unbeknownst to us changed
or corrupted), breach of availability (the data is lost or encrypted through ransomware),
]
6. Data protection by Design
An importantpart of the principle ofaccountability(art. 5 §2 GDPR) is the duty for the controller (art. 25 §1 GDPR)
to “implementappropriate technicaland organisationalmeasures” “which are designedto implementdata protection
principles in an effective manner and to integrate the necessary safeguards into the processing in order to meetthe
requirements of (the GDPR) and protect the rights of data subjects”, under the following conditions:
- “taking into accountthe state of the art, the cost of implementationand the nature,scope,context and purposes
of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons
posed by the processing”
- “both at the time of the determination of the means for processing and at the time of the processing itself”
9. Template for DPIA (EN)
Page: 9
This obligation includes the obligation for security by design, i.e. “implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk ” (art. 32 GDPR).
6.1. General
[Please, argue in general that and how the (personal) data processing is set up with
data protection in mind.]
6.2. Specific measures
The specific measures taken can be categorised in a number of ways. Frameworks for information security, such
as ISO27000 series and NIST800-53 can also provide interesting inspiration.
Article 32 §1 GDPR itself refers to “(a) the pseudonymisation and encryption of personal data, (b) the ability to
ensure the ongoing confidentiality,integrity,availability and resilience of processing systems and services, (c) the
ability to restore the availability and access to personal data in a timely manner in the eventofa physical or technical
incident, (d) a process for regularly testing, assessing and evaluating the effectiveness o f technical and
organisational measures for ensuring the security of the processing”.
[Please, insert information on the specific measures (to be) taken, e.g.]
- Deciding not to collect certain types of data.
- Reducing the scope of the processing.
- Anonymising or pseudonymising data where and as soon as possible.
- Reducing retention periods.
- Using a different technology.
- Taking additional technological security measures.
- Writing internal guidance or processes to avoid risks.
- Instructing and training (relevant) staff to ensure risks are anticipated and
managed.
- Putting clear data sharing agreements into place, especially with processors
(art. 28 GDPR) or joint controllers (art. 26 GDPR).
- Ensure audit assurance on the data protecessing, especially when performed
by third parties (processors or joint controllers).
- Making changes to privacy statement to increase transparency for the data
subject (art. 12-14 GDPR).
- Offering individuals the chance to opt out, where appropriate.
- Implementing new systems to help individuals to exercise their rights (art. 12-
23 GDPR).
- Adding a human element to review automated decisions (art. 22 GDPR), if any.
7. Assessment of the (residual) risks for the data subjects
A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35
§7 c GDPR). The inherentrisks,so in principle PRIOR to the measures described in chapter 6, should be setout
in chapters 2 and/or 5. This chapter looks at the risk AFTER the (implementation of) the measures described in
chapter 6, to determine what the level of the residual risk is for the data subjects.
10. Template for DPIA (EN)
Page: 10
[EITHER] After the measures described (see chapter 6), we assess the (residuals)
risks for the data subjects to be mitigated to a reasonable, low level of risks. We still
identify the following risks and aim to control them as indicated above:
[Please, indicate what risks you still identify and the level you assess them at (with
some brief explanation), e.g.]
- Privacy of the individuals (data subjects)
- Data protection of the individuals (data subjects)
- Discrimination of the individuals (data subjects)
- Retaliation against the individuals (data subjects)
- Bodily harm to the individuals (data subjects)
- Threat of life for the individuals (data subjects)
[OR] After the measures described (see chapter 6), we assess the (residuals) risks for
the data subjects to be mitigated, but still to be at a high level. Reference is made to
chapter 8 below.
8. Involvementof the data protection authority
If and when the DPIA leads to the resultthat even after the mitigating measures the risks for the data subjects are
still high, the organisation must consult with the Data Protection Authority (in Belgium the
Gegevensbeschermingsautoriteit or Autorité de Protection des Données) (art.36 §3 GDPR). Any such consultation
will be performed via the data protection officer (or in the absence thereofthe legal office) of the organisation,or as
the case may be, supported by an (external) legal counsel.
[DEFAULT] No data protection authority was involved, as such was not necessary.
[WHEN CONSULTED] The Belgian data protection authority was consulted via a case
file (art. 36 §6 GDPR) provided to it on (date). The result of the consultation was as
follows: (insert result).
9. Concluding remarks
[Please, state in short what conclusion you took from the final DPIA.]
[e.g. the open actions are integrated in the action log for the project.]