--- name: dpia-en-summary-for-management description: "Concise English DPIA management summary aligned with Art. 35 GDPR for board executive committee or non-legal stakeholders. Output: one-pager covering processing necessity risk measures residual risk approval recommendation." --- # DPIA Management Summary in English ## Purpose Concise English-language management summary of a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR. Designed for board members, executive committees, group risk officers and other non-legal stakeholders who require a defensible one-pager rather than the full DPIA document. The summary follows the six-step methodology and ends with an explicit approval recommendation. ## When to use - When a DPIA is on the agenda of a board, executive committee or steering committee - For investor due diligence covering high-risk processing - For internal audit and group risk reporting in English - For exchange with English-speaking parent companies, joint controllers or processors - For cross-border consultation drafts that later are translated into national language ## Legal framework - Art. 35(7) GDPR mandatory content of a DPIA - Art. 35(2) GDPR DPO consultation - Art. 36 GDPR prior consultation if residual risk remains high - Art. 5(2) GDPR accountability principle - EDPB Guidelines WP 248 rev.01 on DPIA - For AI-related processing: Regulation (EU) 2024/1689 Art. 26 and Art. 27 ## 6-step structure of the management summary 1. **Description of processing.** One paragraph: purpose, data, subjects, technology, transfers. 2. **Necessity and proportionality assessment.** One paragraph: legal basis, minimisation, alternatives. 3. **Risk to data subjects.** Short risk table with the top scenarios. 4. **Measures to mitigate risk.** Short list of key measures. 5. **Residual risk.** Risk rating before and after measures. 6. **Approval recommendation.** Approve, approve with conditions, prior consultation under Art. 36, do not approve. ## Template (English management summary) ``` DPIA MANAGEMENT SUMMARY Confidential — for internal management use Reference: [DPIA-YYYY-NN] Date: [DD-MM-YYYY] Controller: [Entity, legal representative] DPO: [Name, contact] 1. PROCESSING IN ONE PARAGRAPH [What is processed, for what purpose, on which legal basis, for which categories of data subjects, with which key technology, including transfers to third countries.] 2. NECESSITY AND PROPORTIONALITY - Legal basis: [Art. 6 / Art. 9 GDPR with national law] - Data minimisation: [Brief assessment] - Less intrusive alternatives considered: [Yes / No, with note] - Storage period: [Period, justification] - Data subject rights: [Implemented mechanisms] 3. TOP RISKS TO DATA SUBJECTS (BEFORE MEASURES) | Scenario | Likelihood | Severity | Rating | | Unauthorised access | [h/m/l] | [h/m/l] | [R/O/Y/G] | | Covert profiling | | | | | Data leakage / transfer exposure | | | | | Discrimination of data subjects | | | | | Identity theft / fraud | | | | 4. KEY MEASURES - Technical: [encryption, pseudonymisation, access control, logging, key management] - Organisational: [training, four-eyes principle, authorisation concept, incident response] - Contractual: [DPA Art. 28, SCC for transfers, TIA] - AI-specific (if applicable): [human oversight, logging Art. 26(6) AI Act, transparency Art. 50 AI Act] 5. RESIDUAL RISK | Scenario | Rating after measures | | Unauthorised access | [R/O/Y/G] | | Covert profiling | | | ... | | Overall residual risk: [HIGH / MEDIUM / LOW] 6. APPROVAL RECOMMENDATION [ ] Approve — proceed with processing [ ] Approve with conditions — see action items [ ] Prior consultation under Art. 36 GDPR required [ ] Do not approve — redesign processing Action items | No | Action | Owner | Deadline | Next review: [DATE] Sign-off Controller representative: ____________________ Date: ____________________ DPO: ____________________ Date: ____________________ ``` ## Typical mistakes - Management summary uses different wording than the full DPIA — inconsistency creates legal risk. - Risk table is reduced to a single rating without scenarios — board cannot challenge. - Approval recommendation is hidden in narrative — should be a binary choice. - DPO opinion is not referenced — looks like a controller-only decision. - Cross-border or AI specifics omitted in the summary even though they are key in the full DPIA. - No action items with owner and deadline — recommendation is not actionable. - Confidentiality classification missing — risk of unintended disclosure. ## Cross-references - `datenschutzrecht/skills/dpia-en-template-full-version/SKILL.md` — Full English DPIA template - `datenschutzrecht/skills/dsfa-template-deutsch-vollvorlage/SKILL.md` — German full template - `datenschutzrecht/skills/dsfa-restrisiko-und-art-36-konsultation/SKILL.md` — Art. 36 procedure - `datenschutzrecht/skills/dsfa-für-internationale-datentransfers/SKILL.md` — Transfers - `datenschutzrecht/skills/dsfa-für-ki-systeme-schnittstelle-art-26-kivo/SKILL.md` — AI interface - `references/zitierweise.md` — Citation rules ## Sources as of 06/2026 - Art. 5(2), 35, 36 GDPR - Regulation (EU) 2024/1689 (AI Act), Art. 26 and 27 - EDPB Guidelines WP 248 rev.01 on DPIA - EDPB Opinion 28/2024 on AI models - Case law: do not cite from model knowledge; verify with official sources - Literature: only cite from user-provided source or licensed live access