Ansvar docs
ansvar.eu →

DPIA

A guided Data Protection Impact Assessment under GDPR Article 35. The workflow walks you through screening, processing description, DPO consultation, risk identification, per-risk analysis, consultation steps and the final report — with citations to the articles and authority guidance that apply.

Tier

Team and Company. On Premium, start with the search-driven gap analysis guide first; gaps in GDPR Articles 32 and 35 are what indicate a DPIA is needed in the first place. Once that surfaces a DPIA trigger, upgrade to Team to run it. Company tier additionally produces a cryptographically anchored audit package via export_audit_package for regulated verticals that need offline-verifiable evidence.

What you ask the agent

Start a DPIA for our new HR-screening feature.
It scores candidates from CV text and an applicant questionnaire,
processing data of EU candidates, hosted in Sweden.

The agent calls start_workflow(workflow_type="dpia") and works the stages in turn. Document evidence (data flow diagrams, sub-processor lists, retention schedules) is registered through register_document and cited at paragraph level.

Stages

  1. Screening & scope — screening question to confirm a DPIA is required, structured processing description, DPO consultation note, document collection, necessity and proportionality assessment, user-reviewed scope confirmation.
  2. Risk identification — data-subject views (where applicable under Article 35(9)), risk enumeration, user-reviewed risk list. The agent draws on the privacy threat corpus (LINDDUN and authority guidance) via search.
  3. Per-risk analysis — this stage is dynamic: one analysis pass per risk identified, scoring likelihood and severity with the gateway's effective_risk tool and attaching mitigations.
  4. Consultation & compliance — international transfer compliance check, supervisory-authority consultation note where the residual risk requires it (Article 36).
  5. Report generate_report(workflow_id) assembles the DPIA document with all evidence references and citations.

What you get back

A DPIA report with: processing description, lawful basis and purpose, data-subject categories, necessity and proportionality assessment, risk register with per-risk scoring and mitigations, consultation outcomes, and the residual-risk decision. Each substantive claim cites either a GDPR article, an EDPB guideline, or a national-authority opinion.