---
name: dpia-en-template-full-version
description: "Full English DPIA template aligned with Art. 35 GDPR covering description necessity proportionality risk to data subjects measures residual risk approval. Output: ready-to-fill DPIA template in English for cross-border or English-speaking deployments."
---

# DPIA Full Template in English

## Purpose

Complete English-language Data Protection Impact Assessment template aligned with Art. 35 GDPR. All six sections required by Art. 35(7) GDPR are pre-filled with placeholders so that a controller can populate the document and submit it to the data protection officer (DPO) or the supervisory authority. The template follows the methodological structure description, necessity and proportionality, risk to data subjects, measures, residual risk, approval.

## When to use

- After a positive DPIA threshold assessment
- When the processing involves English-speaking deployments, joint controllers in the EU and outside the EU, or English documentation requirements
- Before a prior consultation under Art. 36 GDPR with an English-language file
- When the in-house format is missing and a defensible standard template is needed

## Legal framework

- Art. 35(7) GDPR minimum content of a DPIA:
 - lit. a systematic description of processing operations and purposes
 - lit. b assessment of necessity and proportionality
 - lit. c assessment of risk to rights and freedoms of data subjects
 - lit. d measures envisaged to address the risk, including safeguards, security measures and mechanisms
- Art. 35(2) GDPR DPO consultation
- Art. 35(9) GDPR consultation of data subjects or their representatives where appropriate
- Art. 5(2) GDPR accountability
- EDPB Guidelines WP 248 rev.01 on DPIA

## 6-step methodology

1. **Description of processing.** Populate Section 1.
2. **Necessity and proportionality assessment.** Section 2.
3. **Risk to data subjects.** Section 3 with risk matrix.
4. **Measures to mitigate risk.** Section 4.
5. **Residual risk.** Section 5.
6. **Approval.** Section 6 with signatures.

## Template (English Full DPIA)

```
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
pursuant to Article 35 GDPR

Internal reference: [...]
Version: [1.0] | Date: [DD-MM-YYYY]
Controller: [Legal entity, address, legal representative]
DPO: [Name, e-mail, phone]
Lead department: [...]
Classification: [confidential / internal]

COVER PAGE
Processing activity: [Designation]
Legal basis: [Art. 6 / Art. 9 GDPR, plus national law if applicable]
Competent supervisory authority: [BfDI / state DPA / lead authority Art. 56]
Version history: [...]

EXECUTIVE SUMMARY (one page)
Purpose: [...]
Categories of data: [...]
Data subjects: [...]
Overall risk before measures: [HIGH / MEDIUM / LOW]
Overall risk after measures: [HIGH / MEDIUM / LOW]
Approval recommendation: [Approved / Prior consultation Art. 36 / Not approved]

1. DESCRIPTION OF PROCESSING
 (Art. 35(7)(a) GDPR)
1.1 Purpose and nature of processing
[...]
1.2 Categories of personal data
- Identification data: [...]
- Content data: [...]
- Usage data: [...]
- Special categories Art. 9 GDPR: [...]
- Criminal data Art. 10 GDPR: [...]
1.3 Categories of data subjects
[Customers / Employees / Patients / Citizens]
1.4 Recipients and transfers
- Internal recipients: [...]
- External processors: [...]
- Third country transfers: [Country, safeguards under Chapter V]
1.5 Retention periods
[Period, deletion concept]
1.6 Technical environment
[Hosting, sub-processors, encryption baseline]
1.7 Data flow
[Diagram reference or short narrative]

2. NECESSITY AND PROPORTIONALITY ASSESSMENT
 (Art. 35(7)(b) GDPR)
2.1 Necessity of processing for purpose
[Suitable, necessary, no less intrusive means]
2.2 Data minimisation Art. 5(1)(c) GDPR
[...]
2.3 Purpose limitation Art. 5(1)(b) GDPR
[...]
2.4 Storage limitation Art. 5(1)(e) GDPR
[...]
2.5 Lawfulness Art. 6 / Art. 9 GDPR
[Legal basis per category of data and category of data subject]
2.6 Rights of data subjects
[How are access, rectification, erasure, restriction, portability, objection ensured?]
2.7 Transparency Art. 12 et seq. GDPR
[...]

3. RISK TO DATA SUBJECTS
 (Art. 35(7)(c) GDPR)
3.1 Risk matrix before measures
| No | Scenario | Likelihood | Severity | Risk |
|----|-----------------------------------|------------|----------|------|
| 1 | Unauthorised access (confid.) | [h/m/l] | [h/m/l] | [R/O/Y/G] |
| 2 | Data leakage to outside | | | |
| 3 | Covert profiling | | | |
| 4 | Data loss / availability | | | |
| 5 | Manipulation / integrity | | | |
| 6 | Discrimination of data subjects | | | |
| 7 | Identity theft | | | |
3.2 Protection goals touched
[Confidentiality / Integrity / Availability / Transparency / Intervenability / Unlinkability / Data minimisation]
3.3 Vulnerable data subjects
[Children / Patients / Employees / Consumers]

4. MEASURES TO MITIGATE RISK
 (Art. 35(7)(d) GDPR)
4.1 Technical measures (Art. 32 GDPR)
- Encryption: [type, key length]
- Pseudonymisation: [...]
- Access control: [role / rights concept]
- Logging: [...]
- Backup and restore: [...]
- State of the art: [...]
4.2 Organisational measures
- Training: [target group, frequency]
- Four-eyes principle: [...]
- Authorisation concept: [...]
- Incident response plan: [...]
4.3 Contractual measures
- Data processing agreement (Art. 28 GDPR): [Processor, date, version]
- Standard Contractual Clauses for transfers: [Module, date]
- Transfer impact assessment (TIA): [Reference]
4.4 Measures table
| No | Risk | Measure | Owner | Deadline | Residual risk |

5. RESIDUAL RISK
5.1 Risk matrix after measures
[Table as 3.1 with values after measures]
5.2 Assessment of residual risk
[Remaining risk per scenario, overall rating]
5.3 Need for prior consultation Art. 36 GDPR
[ ] No consultation required (residual risk medium or low)
[ ] Prior consultation required (residual risk high)

6. CONSULTATION AND APPROVAL
6.1 DPO opinion (Art. 35(2) GDPR)
[Wording or reference to annex]
DPO signature: ____________________ Date: ____________________

6.2 Consultation of data subjects (Art. 35(9) GDPR)
[Performed / not performed with justification]

6.3 Approval by controller
Name: ____________________
Role: ____________________
Signature: ____________________ Date: ____________________

6.4 Inclusion in records of processing Art. 30 GDPR
Reference: [...]

6.5 Review plan Art. 35(11) GDPR
Next review: [DATE]
Triggers for ad-hoc review: [change of data categories / recipients / technology / law]
```

## Typical mistakes

- Section 1 stays generic without an actual data flow description.
- Necessity assessment is reduced to legal basis; data minimisation and storage limitation are ignored.
- Risk scenarios only cover confidentiality; other protection goals are left blank.
- Measures table without owner and deadline — not steerable.
- DPO signs late or not at all — evidentiary gap.
- No version control — changes are not traceable.

## Cross-references

- `datenschutzrecht/skills/dsfa-template-deutsch-vollvorlage/SKILL.md` — German full template
- `datenschutzrecht/skills/dsfa-risikoanalyse-eintrittswahrscheinlichkeit-schaden/SKILL.md` — Risk methodology
- `datenschutzrecht/skills/dpia-en-summary-for-management/SKILL.md` — English management summary
- `datenschutzrecht/skills/dsfa-für-internationale-datentransfers/SKILL.md` — International transfers
- `references/zitierweise.md` — Citation rules

## Sources as of 06/2026

- Art. 35(2), (7), (9), (11) GDPR
- Art. 5(2), 30, 32 GDPR
- EDPB Guidelines WP 248 rev.01
- SDM V3.0 (German Standard Data Protection Model) — protection goals
- Case law: do not cite from model knowledge; verify with official sources
- Literature: only cite from user-provided source or licensed live access