No tracking. No cookie wall.·100 % EU-hosted on Hetzner
Free template — no email gate

Free DPIA template (GDPR Article 35) — XLSX

A data protection impact assessment workbook pre-structured from the text of Regulation (EU) 2016/679: an Art. 35 screening checklist with the WP248 criteria, processing-description prompts mapped to Art. 35(7), a risk register judged from the data subject's perspective, and the Art. 36 prior-consultation determination. Download it, fill it in, keep it — the links are direct files.

No form, no sign-up. Requirement wording follows the regulation as published on EUR-Lex.

What's inside

Five sheets, screening to sign-off.

Sheet 1 — Screening (Art. 35)

Do you need a DPIA at all? The statutory triggers — the Art. 35(1) high-risk test and the three Art. 35(3) cases (profiling with legal or similarly significant effects, large-scale special categories, systematic monitoring of publicly accessible areas) — plus your supervisory authority's Art. 35(4)/(5) lists and the nine WP248 criteria, each with a Yes/No dropdown and a conclusion cell. Rule of thumb from the guidelines: two or more criteria met, a DPIA is likely required.

Sheet 2 — Processing description

Prompt rows mapped to Art. 35(7): the systematic description of the processing operations and their purposes including any legitimate interest (35(7)(a)), and the necessity and proportionality assessment (35(7)(b)) — plus DPO advice (35(2)), data-subject views (35(9)), and the review plan (35(11)).

Sheet 3 — Risk register

The Art. 35(7)(c) assessment: Risk to data subjects, Severity and Likelihood (High / Medium / Low dropdowns), Initial risk, Mitigation, Residual risk, and a Citation / source column so each row can say where it comes from. Judged from the data subject's perspective, not the organisation's.

Sheet 4 — Art. 36 determination

The closing question: after mitigation, does any risk to data subjects remain high? If yes, Art. 36(1) requires consulting the supervisory authority before processing starts — the sheet carries what to provide (Art. 36(3)) and the authority's response window (Art. 36(2)).

Sheet 5 — About

Source (Regulation (EU) 2016/679 on EUR-Lex, WP248 attribution), license (free to use internally, not for resale), and the generation date — so the file stays honest when it circulates without this page.

How to use it

Four passes, in order.

  1. 01

    Screen first

    Sheet 1 decides whether a DPIA is required — statutory triggers first, then the WP248 criteria. Record the conclusion and its basis even when the answer is no.

  2. 02

    Describe before you judge

    Sheet 2's prompts pin down what data, about whom, flowing where, and why the processing is necessary and proportionate — before any risk scoring starts.

  3. 03

    Register the risks

    One row per risk to data subjects on sheet 3, scored for severity and likelihood, with the mitigation and the residual risk it leaves behind.

  4. 04

    Close with Article 36

    If any residual risk stays high and you cannot mitigate it further, the determination sheet points you to prior consultation with the supervisory authority — before processing, not after.

Prefer it filled in? The same structure, produced and cited by the gateway — every provision fetched from the regulation, every risk row traced to its source, reviewed by a practitioner. Read the sample DPIA or scope a DPIA.
Questions before you download

The short answers

Is it really free — no email?
Yes. The download links above are direct file links: no form, no email address, no account. Use and adapt the workbook inside your organisation; the one thing we ask is that you don't resell it or redistribute it as a standalone product.
What law is it based on?
Regulation (EU) 2016/679 (GDPR), Articles 35 and 36, as published on EUR-Lex. The requirement rows quote or closely paraphrase the regulation text; the nine screening criteria summarise the Article 29 Working Party's DPIA guidelines (WP248 rev.01), endorsed by the EDPB, and are labelled as such in the workbook.
Can Ansvar fill it in for us?
Yes. The DPIA service produces the same structure completed for your processing — every provision fetched from the regulation through the Ansvar gateway, every risk row cited, reviewed by a practitioner. Read a complete worked sample to see what that looks like before you book anything.
Is this legal advice?
No. Ansvar is not a law firm, and the template is a working format, not legal advice: it gives you the regulation's structure and provision references, and every row traces to the article it rests on. What you fill in is your assessment — the format is built so your counsel or DPO can check each line and take the legal position.