Data Protection Impact Assessment under Article 35 GDPR — threshold analysis, process and documentation
GDPR Data Protection Impact Assessment (DPIA)
Article 35 GDPR requires organisations to carry out a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to individuals. Whether systematic profiling, large-scale monitoring or new technologies such as AI systems — a threshold analysis determines if a DPIA is mandatory. ADVISORI supports you through every step from screening to documentation.
- ✓Threshold analysis: screening against the 9 criteria of the Article 29 Working Party
- ✓Step-by-step DPIA execution with legally compliant documentation for supervisory authorities
- ✓Risk assessment and definition of effective technical and organisational measures
- ✓Guidance on prior consultation under Article 36 GDPR when residual risk remains high
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
Data Protection Impact Assessment (DPIA) — Process, Obligations and Templates
Our DPIA Expertise
- Extensive experience in conducting DPIAs across varying levels of complexity
- Interdisciplinary team of data protection lawyers and IT security experts
- Proven DPIA methods and standardised processes
- Industry-specific expertise and regulatory specialist knowledge
⚠
Important Notice
The DPIA must be completed before processing begins. If high residual risk remains despite planned safeguards, the supervisory authority must be consulted under Article 36 GDPR. Non-compliance may result in fines of up to EUR 10 million or 2% of annual turnover.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We follow a structured and systematic approach to data protection impact assessment that meets legal requirements while creating practical added value for your data protection management.
Our Approach:
Comprehensive analysis of data processing activities
Systematic risk assessment based on established standards
Development of tailored protective measures
Legally sound documentation and reporting
Implementation of continuous monitoring processes
"ADVISORI professionalised and systematised our DPIA processes. Thanks to their methodical approach, we not only achieved compliance but also gained valuable insights into our data protection risks."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
DPIA Obligation Assessment and Risk Analysis
Systematic assessment of the DPIA obligation and comprehensive analysis of the data protection risks associated with your processing activities.
- Assessment of DPIA thresholds under GDPR Art. 35
- Detailed analysis of processing activities
- Assessment of data protection risks and their impact
- Identification of critical data protection aspects
DPIA Execution and Documentation
Professional execution of the data protection impact assessment with legally sound documentation and compliance evidence.
- Systematic DPIA execution in accordance with GDPR standards
- Development of targeted risk minimisation measures
- Comprehensive DPIA documentation for supervisory authorities
- Continuous monitoring and updating
Our Competencies in DSGVO-Implementierung
Choose the area that fits your requirements
GDPR Processes for Reporting Data Breaches
Structured processes for the timely and legally sound notification of data breaches to supervisory authorities and affected individuals in accordance with Art. 33 and 34 GDPR.
GDPR Technical & Organizational Measures (TOMs)
Article 32 GDPR requires organizations to implement appropriate technical and organizational measures (TOMs) to protect personal data. We design and implement tailored TOM frameworks covering encryption, pseudonymization, and access control for demonstrable GDPR compliance.
Frequently Asked Questions about GDPR Data Protection Impact Assessment (DPIA)
What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a process required by Article
35 GDPR to evaluate the risks of a planned data processing activity to the rights and freedoms of individuals. It must be carried out before processing begins and covers the description of processing operations, the assessment of necessity and proportionality, a risk analysis and the identification of safeguards to mitigate those risks.
When is a DPIA mandatory under GDPR?
Article 35(3) GDPR requires a DPIA for: systematic and extensive evaluation of personal aspects based on automated processing including profiling, large-scale processing of special categories of data (Article 9) or criminal data (Article 10), and systematic monitoring of publicly accessible areas on a large scale. National supervisory authorities also publish blacklists of processing operations that always require a DPIA.
How does the DPIA threshold analysis work?
The threshold analysis uses the
9 criteria published by the Article
29 Working Party (WP 248) to determine whether a DPIA is required. These include: evaluation or scoring, automated decision-making with legal effects, systematic monitoring, processing of sensitive data, large-scale processing, matching or combining datasets, data concerning vulnerable persons, innovative use of technology, and processing that prevents data subjects from exercising their rights. When two or more criteria apply, a DPIA is generally required.
What are the steps to conduct a DPIA?
A DPIA follows four main steps: 1) Describe the processing — purpose, legal basis, data categories and recipients. 2) Assess necessity and proportionality — whether the processing is the least intrusive way to achieve the purpose. 3) Identify and evaluate risks — likelihood and severity of harm to data subjects. 4) Define mitigation measures — technical and organisational measures (TOMs) to reduce risks to an acceptable level. The results are documented and submitted to the Data Protection Officer for review.
Who is responsible for carrying out a DPIA?
The data controller (typically senior management) is responsible for conducting the DPIA. The Data Protection Officer (DPO) must be consulted under Article 35(2) GDPR and provides advice, but does not carry out the DPIA themselves. Where joint controllership exists (Article
26 GDPR), responsibilities should be contractually defined.
When must the supervisory authority be consulted?
Under Article
36 GDPR, prior consultation with the supervisory authority is required when the DPIA concludes that high residual risk remains despite all planned safeguards. The authority has up to eight weeks to provide recommendations or to prohibit the processing.
How does the DPIA relate to the EU AI Act?
AI systems processing personal data frequently require both a GDPR DPIA and a conformity assessment under the EU AI Act. High-risk AI systems listed in Annex III of the AI Act — such as credit scoring, biometric identification or recruitment tools — typically trigger the DPIA obligation because they involve systematic profiling or automated decisions with significant effects on individuals.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Case Study
Results
Over 2 billion euros in annual revenue through digital channels
Goal to achieve 60% of revenue online by 2022
Improved customer satisfaction through automated processes
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Case Study
Results
Significant increase in production performance
Reduction of downtime and production costs
Improved sustainability through more efficient resource utilization
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Case Study
Results
Improved production speed and flexibility
Reduced manufacturing costs through more efficient resource utilization
Increased customer satisfaction through personalized products
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Case Study
Results
Reduction of AI application implementation time to just a few weeks
Improvement in product quality through early defect detection
Increased manufacturing efficiency through reduced downtime
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance