Free DPIA template (GDPR Article 35) — XLSX
A data protection impact assessment workbook pre-structured from the text of Regulation (EU) 2016/679: an Art. 35 screening checklist with the WP248 criteria, processing-description prompts mapped to Art. 35(7), a risk register judged from the data subject's perspective, and the Art. 36 prior-consultation determination. Download it, fill it in, keep it — the links are direct files.
No form, no sign-up. Requirement wording follows the regulation as published on EUR-Lex.
Five sheets, screening to sign-off.
Sheet 1 — Screening (Art. 35)
Do you need a DPIA at all? The statutory triggers — the Art. 35(1) high-risk test and the three Art. 35(3) cases (profiling with legal or similarly significant effects, large-scale special categories, systematic monitoring of publicly accessible areas) — plus your supervisory authority's Art. 35(4)/(5) lists and the nine WP248 criteria, each with a Yes/No dropdown and a conclusion cell. Rule of thumb from the guidelines: two or more criteria met, a DPIA is likely required.
Sheet 2 — Processing description
Prompt rows mapped to Art. 35(7): the systematic description of the processing operations and their purposes including any legitimate interest (35(7)(a)), and the necessity and proportionality assessment (35(7)(b)) — plus DPO advice (35(2)), data-subject views (35(9)), and the review plan (35(11)).
Sheet 3 — Risk register
The Art. 35(7)(c) assessment: Risk to data subjects, Severity and Likelihood (High / Medium / Low dropdowns), Initial risk, Mitigation, Residual risk, and a Citation / source column so each row can say where it comes from. Judged from the data subject's perspective, not the organisation's.
Sheet 4 — Art. 36 determination
The closing question: after mitigation, does any risk to data subjects remain high? If yes, Art. 36(1) requires consulting the supervisory authority before processing starts — the sheet carries what to provide (Art. 36(3)) and the authority's response window (Art. 36(2)).
Sheet 5 — About
Source (Regulation (EU) 2016/679 on EUR-Lex, WP248 attribution), license (free to use internally, not for resale), and the generation date — so the file stays honest when it circulates without this page.
Four passes, in order.
- 01
Screen first
Sheet 1 decides whether a DPIA is required — statutory triggers first, then the WP248 criteria. Record the conclusion and its basis even when the answer is no.
- 02
Describe before you judge
Sheet 2's prompts pin down what data, about whom, flowing where, and why the processing is necessary and proportionate — before any risk scoring starts.
- 03
Register the risks
One row per risk to data subjects on sheet 3, scored for severity and likelihood, with the mitigation and the residual risk it leaves behind.
- 04
Close with Article 36
If any residual risk stays high and you cannot mitigate it further, the determination sheet points you to prior consultation with the supervisory authority — before processing, not after.
The short answers
- Is it really free — no email?
- Yes. The download links above are direct file links: no form, no email address, no account. Use and adapt the workbook inside your organisation; the one thing we ask is that you don't resell it or redistribute it as a standalone product.
- What law is it based on?
- Regulation (EU) 2016/679 (GDPR), Articles 35 and 36, as published on EUR-Lex. The requirement rows quote or closely paraphrase the regulation text; the nine screening criteria summarise the Article 29 Working Party's DPIA guidelines (WP248 rev.01), endorsed by the EDPB, and are labelled as such in the workbook.
- Can Ansvar fill it in for us?
- Yes. The DPIA service produces the same structure completed for your processing — every provision fetched from the regulation through the Ansvar gateway, every risk row cited, reviewed by a practitioner. Read a complete worked sample to see what that looks like before you book anything.
- Is this legal advice?
- No. Ansvar is not a law firm, and the template is a working format, not legal advice: it gives you the regulation's structure and provision references, and every row traces to the article it rests on. What you fill in is your assessment — the format is built so your counsel or DPO can check each line and take the legal position.