Javascript is required
logo-dastralogo-dastra

Audit modelEDPB DPIA Template 2026

European Data Protection Board – Data Protection Impact Assessment template (Version 1.0, March 2026). Structured framework for conducting DPIAs as required under Article 35 GDPR.

1. Overview of the Processing

1. 0.1 Controller(s)

1.1. Controller – name and contact details
1.2. Management units responsible for the processing inside the organisation
1.3. Main establishment / point of contact or EU representative
1.4. Information about the DPO or similar function, if applicable

2. 0.2 Processor(s) and Sub-processor(s)

2.1. List of processors and sub-processors, with their obligations and tasks

For each processor/sub-processor, provide their name and describe their obligations and tasks.

3. 0.3 Name of the Processing

3.1. Internal name of the processing (as recorded in the record of processing activities)
3.2. Current version and version history of the processing

4. 0.4 Planning of the Processing

4.1. Estimated launch date
4.2. Estimated end date or expiration conditions

Applicable if the processing is temporary or has a defined end date.

5. 0.5 DPIA Technical Sheet

5.1. Current version and version log of this DPIA document
5.2. Team involved in conducting this DPIA
5.3. Guidelines, standards, codes of conduct and reference materials used
5.4. Reasons to conduct this DPIA

Select all reasons that triggered the obligation or need to conduct this DPIA (Article 35 GDPR and EDPB guidance).

5.5. Other reason to conduct this DPIA (if not listed above)
5.6. If the processing or context has changed, describe how
5.7. Scope of this DPIA
5.8. Completion date of this DPIA
5.9. Formal validation date

Date of approval of the DPIA as complete and finished by a responsible official.

5.10. Is this DPIA (or parts of it) intended to be published or shared externally?
5.11. How will the DPIA be published or shared externally?

2. Systematic Description of the Processing

1. 1.1 High-level Description

1. 1.1.a Processed Personal Data

1.1. List all personal data items or elements processed

For each data item, specify: the data type, the data subject category, any additional details, and whether it constitutes special category data under Article 9 GDPR.

1.2. Does the processing involve special categories of personal data (Article 9 GDPR)?
1.3. Which special categories of personal data are processed?

Select all applicable categories (Article 9(1) GDPR).

2. 1.1.b Purposes of the Processing

2.1. Describe the specific and explicit purposes for which personal data are processed

For each purpose, specify which personal data items (from 1.1.a) are involved and provide justification of their relevance.

3. 1.1.c Secondary or Compatible Uses

3.1. Are there secondary or compatible uses of the data beyond the primary purposes?
3.2. Describe secondary or compatible uses

For each secondary use, describe: the personal data involved, the conditions under which it occurs, and an assessment of compatibility with the primary purpose.

4. 1.1.d Nature, Scope and Context of the Processing

4.1. Nature of the processing

Describe how personal data will be handled: operations involved, technologies used, etc.

4.2. Scope of the processing

Describe the breadth and extent: volume, number of data subjects, geographical and organisational reach, frequency or duration.

4.3. Context of the processing

Describe the circumstances and environment: use cases, business processes, relationship with data subjects, vulnerable groups, etc.

4.4. Is this a cross-border processing?
4.5. Cross-border processing – justification and details
4.6. Will personal data be transferred to a recipient in a third country or international organisation?
4.7. International transfers – justification, recipient countries and transfer mechanism

2. 1.2 Functional Description

2.1. Describe the processing phases, types of operations and data flows

For each phase (collection, use, storage, sharing/transfer, deletion/destruction), describe the operations involved.

3. 1.3 Means of Processing, Assets and Architecture

3.1. Describe means of processing, supporting assets and underlying architecture

For each processing phase or stage (from 1.2), list the means of processing and supporting assets (systems, tools, infrastructure) and provide explanations.

4. 1.4 Compliance with Approved Codes of Conduct

4.1. Are there approved codes of conduct applicable to this processing?
4.2. Identify applicable codes of conduct and explain compliance

3. Analysis of the Processing

1. 2.1 Lawfulness of the Processing

1. 2.1.a Legal Basis

1.1. Legal basis under Article 6(1) GDPR

Select all applicable legal bases. If relying on legitimate interests (f), a balancing test must be provided below.

1.2. Justification for the chosen legal basis

For each purpose, justify the applicable legal basis. If relying on legitimate interests (Art. 6(1)(f)), provide the balancing test analysis.

2. 2.1.b Reasons to Lift the Processing Prohibition

2.1. Ground under Article 9(2) GDPR for processing special category data
2.2. Justification for the Article 9(2) ground invoked

2. 2.2 Data Minimisation, Retention and Data Quality

1. 2.2.a Data Minimisation and Retention Periods

1.1. Justify necessity and relevance of each data item, identify recipients and specify retention periods

For each personal data item (from 1.1.a): justify the need and relevance, identify recipients, specify the retention period and justify it.

2. 2.2.b Data Quality

2.1. Describe data quality metrics, requirements or thresholds for each personal data item

3. 2.3 Measures Supporting Compliance

1. 2.3.a Measures – Article 5(1) GDPR Principles

1.1. Fairness principle – Supporting measures, appropriateness/effectiveness, implementation status
1.2. Transparency principle – Supporting measures, appropriateness/effectiveness, implementation status
1.3. Purpose limitation principle – Supporting measures, appropriateness/effectiveness, implementation status
1.4. Data minimisation principle – Supporting measures, appropriateness/effectiveness, implementation status
1.5. Accuracy principle – Supporting measures, appropriateness/effectiveness, implementation status
1.6. Storage limitation principle – Supporting measures, appropriateness/effectiveness, implementation status
1.7. Integrity and confidentiality principle – Measures, appropriateness/effectiveness, status
1.8. Accountability principle – Supporting measures, appropriateness/effectiveness, implementation status

2. 2.3.b Measures – Exercise of Data Subjects' Rights

2.1. Information to data subjects (Arts. 12, 13 and 14 GDPR) – Measures, appropriateness, status
2.2. Right of access and data portability (Arts. 15 and 20 GDPR) – Measures, appropriateness, status
2.3. Right to rectification and erasure (Arts. 16, 17 and 19 GDPR) – Measures, appropriateness, status
2.4. Right to object and to restriction (Arts. 18, 19 and 21 GDPR) – Measures, appropriateness, status
2.5. Right not to be subject to automated decision-making (Art. 22 GDPR) – Measures, appropriateness, status

3. 2.3.c Measures – Other GDPR Requirements

3.1. Consent requirements and withdrawal mechanism (Art. 7 GDPR) – Measures, appropriateness, status
3.2. Relationship with processors – DPA requirements (Art. 28 GDPR) – Measures, appropriateness, status
3.3. Safeguards for international transfers (Chapter V GDPR) – Measures, appropriateness, status

4. 2.3.d Measures – Data Protection by Design and by Default

4.1. Data protection by design and by default (Art. 25 GDPR) – Measures, appropriateness/effectiveness, status

5. 2.3.e Measures – Security of Processing

5.1. Security of processing (Art. 32 GDPR) – Measures, appropriateness/effectiveness, implementation status

4. Necessity and Proportionality

1. 3.1 Impacts on Rights and Freedoms of Data Subjects

1.1. Describe the impacts of the processing on the rights and freedoms of data subjects

2. 3.2 Necessity Assessment

2.1. Assess whether the processing is necessary and the least intrusive option available

Evaluate whether the processing is effective and whether less privacy-intrusive alternatives were considered. Provide evidence and justification.

3. 3.3 Proportionality Assessment

3.1. Assess the proportionality of the processing

Discuss the importance of the processing and its potential benefits. Compare impacts on rights and freedoms with the advantages resulting from the processing. Provide evidence and justification.

5. Risk Assessment and Management

1. 4.1 Risk Assessment

1. 4.1.a Threats from Processing Design and Abnormal Events

1.1. Threats posed by the processing as designed (including measures already envisaged to mitigate them)

For each threat, describe: how it can materialise, the risk sources (purpose, design weaknesses, exposures), and impacts on data subjects' rights and freedoms.

1.2. Threats from malfunctions, deviations, and cybersecurity threats (CIA: confidentiality, integrity, availability)

Identify cybersecurity and operational threats. For each, describe materialisation, risk sources (vulnerabilities, exposures, errors), and impacts on data subjects.

2. 4.1.b Risk Assessment Method

2.1. Explain the method followed to assess and manage risk

Describe: likelihood and severity levels (scale and meanings), risk metrics, prioritisation criteria, risk acceptance levels, and reference to any established method.

3. 4.1.c Inherent Risk Assessment

3.1. Inherent risk assessment for each identified risk scenario

For each risk scenario (from 3.1 and 4.1.a), assess: likelihood, severity, modulating factors, overall risk level, and whether the risk is acceptable.

2. 4.2 Action Plan

1. 4.2.a Additional Mitigating Measures

1.1. Additional mitigating measures with mitigated risks, appropriateness/effectiveness and implementation status

2. 4.2.b Residual Risk Assessment

2.1. Residual risk assessment for each scenario after applying additional mitigating measures

Reassess likelihood, severity and overall risk level after additional measures. Indicate whether the residual risk is acceptable.

3. 4.2.c Implementation Plan

3.1. Plan to implement additional measures and monitor risks on an ongoing basis

Provide necessary activities, responsible teams, timelines, and monitoring/review processes to manage risks once the processing is underway.

6. Involvement of Interested Parties

1. 5.1 DPO Advice

1.1. DPO's opinion, conclusions and recommendations concerning the processing
1.2. How has the DPO's advice been taken into account?

2. 5.2 Views of Data Subjects or Their Representatives

2.1. Have data subjects or their representatives been consulted?
2.2. Views, conclusions and recommendations of data subjects or their representatives
2.3. Explanation of data subjects' participation in the DPIA process

7. Conclusion and Decision

7.1. Formal decision on this processing activity
7.2. Reason for consulting the Supervisory Authority
7.3. Conditions to be met before the processing may proceed
7.4. Justification of the decision (optional)
7.5. Date of the decision
7.6. Name and function of the responsible official who approves this DPIA
Created at:04/12/2026
Updated on :04/12/2026
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale
Author :
Leïla Sayssa
Leïla Sayssa
Uses :2
Build my audit

Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We'll send you occasional emails to keep you informed about our latest news and updates to our solution

* You can unsubscribe at any time using the link provided in each newsletter.