SimpleAct Logo
GDPR · Art. 35

Data Protection Impact Assessment (DPIA)

When processing is likely to result in a high risk to the rights and freedoms of individuals, a data protection impact assessment is mandatory under Art. 35 GDPR. SimpleAct guides you through threshold check, risk assessment and mitigation.

Start for free View GDPR compliance

What is a DPIA?

The Data Protection Impact Assessment (DPIA, German DSFA) is a risk analysis carried out in advance for particularly critical processing. It is mandatory when processing – for example through new technologies, extensive profiling or processing of sensitive data – is likely to result in a high risk to data subjects. The goal is to identify risks early and minimise them through appropriate measures before processing begins.

When is a DPIA mandatory?

Systematic evaluation
Extensive profiling or scoring with significant effects on data subjects, e.g. automated decisions.
Large-scale sensitive data
Processing of special categories of data (Art. 9) or data on criminal offences on a large scale.
Systematic monitoring
Large-scale monitoring of publicly accessible areas, for example through video surveillance.
New technologies
Use of new technologies such as AI whose risks to data subjects are not yet established.

Steps of a DPIA

  • Threshold check: is a DPIA required at all?
  • Systematically describe the processing (purpose, scope, context)
  • Assess necessity and proportionality
  • Analyse risks to the rights and freedoms of data subjects
  • Define remedial measures and safeguards
  • Involve the data protection officer and document the result
  • If a high residual risk remains: consult the authority (Art. 36)

Frequently asked questions about DPIAs

Who decides whether a DPIA is needed?

The controller – supported by the data protection officer. Supervisory authorities also publish lists of processing for which a DPIA is always mandatory.

What is the difference between a DPIA and a TIA?

The DPIA assesses the risk of a processing activity in general. The Transfer Impact Assessment (TIA) specifically assesses the risk of transfers to third countries.

Does the DPIA have to be sent to the authority?

No – only if a high residual risk remains after mitigation must the supervisory authority be consulted in advance (Art. 36). Otherwise the DPIA is documented internally.

How often must a DPIA be reviewed?

The DPIA must be reviewed when the risk of the processing changes – at least when the purpose, scope or technologies used change materially.

Data Protection Impact Assessment with SimpleAct

Carry out threshold check, risk assessment and mitigation in a structured way – with traceable documentation for the supervisory authority.

Start for free

Related topics

GDPR complianceRecords of ProcessingThird-country transfersGDPR module
Yannick Heisler

Yannick Heisler

Sales · Personal consultation

Data Protection Impact Assessment (DPIA) – Art. 35 GDPR Process | SimpleAct | SimpleAct