Overview

This template serves as a structured working aid for creating a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR for AI systems.

It is based on the legal minimum requirements and extends them with AI-specific aspects such as:

• Training data
• Model architecture
• Bias and discrimination risks
• Human oversight
• Post-market monitoring

Data Protection Impact Assessment (DPIA)

1. Systematic Description of the Processing

1.1 Project Name

• Name of the AI system:
• Version:
• Responsible organisation:
• Contact person:

1.2 Purpose of Processing

• What specific purpose does the AI system serve?
• Does it influence decisions about individuals?
• Is there Art. 22 relevance?

1.3 System Description

• Type of system (e.g. scoring, classification, generative AI)
• Deployment context (e.g. HR, finance, healthcare)
• Degree of automation (supporting / decision-making)

1.4 Data Categories

• Personal data:
• Special categories (Art. 9 GDPR)?
• Sensitive inferences possible?
• Data sources (direct, third-party source, web scraping)?

1.5 Affected Groups of Individuals

• Applicants
• Customers
• Patients
• Employees
• Others

1.6 Data Flows

• Collection
• Storage
• Training
• Inference
• Third-country transfer (yes/no)
• Sub-processors involved?

2. Assessment of Necessity and Proportionality

2.1 Legal Basis

• Art. 6 GDPR:
• Art. 9 exception (if applicable):

Justification:

2.2 Purpose Limitation

• Is the training purpose clearly defined?
• Is there a change of purpose?

2.3 Data Minimisation

• What minimisation measures have been taken?
• Can data be reduced or anonymised?

2.4 Storage Limitation

• Is the retention period defined?
• Is a deletion concept in place?

3. Risk Assessment

3.1 Identified Risks

3.2 AI-Specific Risks

• Proxy discrimination
• Training data bias
• Model drift
• Misclassification
• Over-reliance on AI output
• Manipulation (data poisoning, prompt injection)

3.3 Assessment of Impacts

• Economic impacts
• Reputational damage
• Fundamental rights infringements
• Psychological impacts

4. Measures for Risk Minimisation

4.1 Technical Measures

• Pseudonymisation
• Encryption
• Access restrictions
• Logging
• Bias tests
• Drift detection

4.2 Organisational Measures

• Training
• Human oversight
• Four-eyes principle
• Incident response process
• Definition of roles and responsibilities

4.3 Transparency Measures

• Privacy notices updated
• Logic explanation provided
• Information about automated decisions

4.4 Third-Country Transfer Measures

• SCCs concluded
• DPF certification reviewed
• Transfer Impact Assessment carried out

5. Residual Risk Assessment

• Does a high risk remain despite measures?
• If yes: Is consultation of the supervisory authority required? (Art. 36 GDPR)

6. Connection to the EU AI Act (Optional)

• High-risk classification reviewed?
• Risk management system in place?
• Technical documentation available?
• Conformity assessment required?

7. Approval and Documentation

• Date of creation:
• Responsible person:
• Data protection officer consulted?
• Last updated:

Next Steps

1. Use this template as the basis for your specific AI project.
2. Complete all fields thoroughly and traceably.
3. Involve data protection and specialist departments early.
4. Review AI Act risk classification in parallel.
5. Have your DPIA reviewed by qualified experts if necessary.