GDPR Article 35 DPIA — full workflow run with structured report
Your HR team wants to roll out 'PeopleFlow', a US SaaS that processes payroll, performance reviews, absence data including medical certificates, and runs a 'flight-risk' profiling model for 1,200 employees across DE, NL, and SE. SCCs are in place; sub-processors include AWS us-east-1 and a separate analytics provider. The gateway's `dpia` workflow drives 23 GDPR Article 35 steps end-to-end — screening, processing description, DPO consultation, necessity + proportionality, data-subject views, 12 per-risk CNIL severity x likelihood scorings, transfer compliance, processor compliance, Article 36 determination — and returns a citation-bearing structured deliverable.
How the gateway answered
From your MCP client: "Start a dpia workflow against my HR vendor onboarding (PeopleFlow / payroll + performance + medical certificates + flight-risk profiling, 1,200 employees across DE/NL/SE, US-based vendor with SCCs). Drive each step — screening, processing description, DPO consultation, necessity + proportionality, scope review, data-subject views, risk enumeration, per-risk CNIL scoring with safeguards, transfer + processor compliance, Article 36 determination. Then generate_report() and give me the JSON, MD, and PDF."
list_workflow_types()→ 8 workflow types available: dpia, dpia_de, fria, gap_analysis, linddun, tender_review, tender_review_se, threat_modelstart_workflow(workflow_type="dpia" framework="GDPR" jurisdictions=[DE, NL, SE] entity_description="HR SaaS vendor PeopleFlow processing payroll, perform…")→ workflow_id=7a051f04; status=active; first_step=scoping.screeningsearch(query="data protection impact assessment Article 35 mandator…" frameworks=[GDPR] jurisdictions=[EU] limit=8)→ 8 results from EU Regulations MCP — GDPR Art. 35, Art. 22, Recital 71, Recital 91, Art. 13, Art. 14, Art. 15, Art. 47submit_response(step_id="scoping.screening" fields=[screening.outcome, screening.rationale, screening.criteria_triggered])→ accepted; outcome=DPIA required; 5 Art. 35(3) triggers + WP29 nine-criteria + DE/NL mandatory lists; next=scoping.processing_descriptionsubmit_response(step_id="scoping.processing_description" fields=[data_types, data_subjects, purposes, legal_basis, processors, international_transfers, high_risk_indicators])→ accepted; 6 data categories incl. health data + flight-risk vector; 8/9 HRIs present; 3 US processors; 2 transfer pathssubmit_response(step_id="scoping.dpo_consultation" fields=[designated, advice_sought, advice_summary, followed])→ accepted; DPO designated, advice followed: Art. 22 treatment + supplementary TIA measures + Art. 88 carve-outsShow all 21 tool calls
submit_response(step_id="scoping.document_collection" documents=[])→ accepted; demo run with no document uploadssearch(query="Schrems II standard contractual clauses third country…" frameworks=[GDPR] jurisdictions=[EU] limit=6)→ 6 results from EU Regulations MCP — GDPR Art. 45, 46, 49, Recital 108, 109, 168search(query="special categories health data processing employment …" frameworks=[GDPR] jurisdictions=[EU] limit=6)→ 6 results from EU Regulations MCP — GDPR Art. 9, Art. 88, Recital 52, 53, 54, 155submit_response(step_id="scoping.necessity_proportionality" fields=[assessment_narrative, proportionality_assessment, lia_assessment, data_minimisation_assessment])→ accepted; LIA fails for sentiment + sick-leave features; proportionality fails for medical-cert body ingestionsubmit_response(step_id="scoping.scope_review" user_acknowledged=true)→ user_approved=true; full scope confirmed for risk identificationsubmit_response(step_id="risk_identification.data_subject_views" fields=[sought, method, summary])→ accepted; Betriebsrat + OR briefings + SE survey (n=312); DE works council formally objected on BetrVG §87 groundssearch(query="data minimisation Article 5 storage limitation purpos…" frameworks=[GDPR] jurisdictions=[EU] limit=5)→ 5 results from EU Regulations MCP — GDPR Art. 5, Art. 25, Art. 47, Recital 45, Recital 85submit_response(step_id="risk_identification.risk_enumeration" enumerated_risks_count=12)→ accepted; 12 risks enumerated across confidentiality + integrity + rights categoriessubmit_response(step_id="risk_identification.risk_list_review" user_acknowledged=true)→ user_approved=true; R-02, R-03, R-06, R-10 flagged as focus riskssubmit_response(step_id="risk_analysis.R-01 through R-12" scored_risks=12 total_safeguards=27)→ all 12 per-risk steps accepted; CNIL 4-band severity x likelihood enum enforced; 27 safeguards across technical / organisational / contractual typessubmit_response(step_id="consultation.transfer_compliance" transfers_assessed=3)→ accepted; all 3 US paths flagged adequate=false; supplementary measures + TIA documentedsubmit_response(step_id="consultation.processor_compliance" processors_assessed=3)→ accepted; Analytics Inc. flagged as go-live blocker (no DPA)submit_response(step_id="consultation.article_36_determination" consultation_required=false)→ accepted; not required post-mitigation; pre-mitigation R-06 + R-10 would have triggered; R-06 is a hard pre-requisitesubmit_response(step_id="consultation.consultation_review" user_acknowledged=true)→ user_approved=true; mitigation R-06 + R-10 confirmed as hard go-live gatesgenerate_report(workflow_id="7a051f04-c91f-47a2-9346-b636dd522a82")→ structured JSON report: screening + DPO + processing description + necessity + 12 risks + 27 safeguards + transfer/processor compliance + Art. 36 determination; residual matrix 12 low / 0 medium / 0 high / 0 criticalDPIA workflow — what the gateway actually ran
This is the full dpia workflow at gateway.ansvar.eu, driven end-to-end across 23 GDPR Article 35 steps. The gateway returns a structured JSON report, not a free-form answer — the agent's job is to drive the workflow, the gateway's job is to assemble the deliverable. Three downloads below: the raw JSON from generate_report, a human-readable Markdown render, and a customer-shaped PDF.
What the workflow produced
- Screening outcome: DPIA required, with five Article 35(3) triggers fired concurrently — profiling with significant effect, large-scale special-category data (medical certificates), WP29 nine-criteria match, and both the DE BfDI and NL AP mandatory DPIA lists.
- Processing scope mapped: 6 data categories (including health data and a flight-risk feature vector), 5 purposes, 3 processors (PeopleFlow + AWS us-east-1 + Analytics Inc., all US), 2 international transfer paths, 8 of 9 WP248 high-risk indicators present.
- DPO consulted on 2026-05-08; advice followed — flight-risk treated as Article 22 automated decision-making, supplementary technical measures on top of SCCs, Article 88 Member-State carve-outs honoured (BDSG §26, UAVG art. 30, Diskrimineringslagen).
- Necessity assessment: LIA fails as designed for the flight-risk profiling purpose — sentiment-on-manager-comments and sick-leave frequency are …
Every claim traces to a source you can open
A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 12 primary sources — official legislation, agency guidance, and case law — each a link you or your auditor can open and check. Nothing here is generated.
- GDPR (Regulation (EU) 2016/679) — Article 35 Data Protection Impact AssessmentEU · regulation · eur-lex.europa.eu
- GDPR — Article 22 Automated individual decision-making, including profilingEU · regulation · eur-lex.europa.eu
- GDPR — Article 9 Processing of special categories of personal dataEU · regulation · eur-lex.europa.eu
- GDPR — Article 46 Transfers subject to appropriate safeguards (SCCs)EU · regulation · eur-lex.europa.eu
- GDPR — Article 28 Processor obligations and Article 28(3) DPA contentsEU · regulation · eur-lex.europa.eu
- GDPR — Article 36 Prior consultation with the supervisory authorityEU · regulation · eur-lex.europa.eu
- GDPR — Article 88 Processing in the context of employmentEU · regulation · eur-lex.europa.eu
- GDPR — Recital 91 (DPIA criteria for large-scale and profiling operations)EU · regulation · gdpr-info.eu
- EDPB Recommendations 01/2020 on supplementary measures for transfer tools (post-Schrems II)EU · guidance · edpb.europa.eu
- Article 29 Working Party WP248 rev.01 — Guidelines on Data Protection Impact Assessment (endorsed by EDPB)EU · guidance · ec.europa.eu
- Bundesdatenschutzgesetz (BDSG) §26 — Processing of employee dataDE · regulation · gesetze-im-internet.de
- CJEU C-311/18 Schrems II — invalidation of Privacy Shield, conditions for SCC relianceEU · case-law · curia.europa.eu
Run this on your own data
This is available as a service: DPIA as a Service. Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.