Does this tool produce a binding determination?

No. It applies the EDPB WP248 rev.01 criteria and the Article 35(3) cases to your answers and returns a structured assessment. The decision rests with the controller and its DPO, informed by your supervisory authority's published lists. When in doubt, the EDPB recommends carrying out a DPIA.

A Data Protection Impact Assessment is the prior assessment GDPR Article 35 requires for processing likely to result in a high risk. It describes the processing, assesses necessity and proportionality, evaluates the risks to people, and sets out the measures to address them.

When must the DPIA be done?

Before the processing begins; a DPIA is a prior assessment. For ongoing processing, review it whenever the nature, scope, context, or purposes change.

What are the nine EDPB criteria?

Evaluation or scoring; automated decisions with significant effect; systematic monitoring; sensitive or highly personal data; large-scale processing; matching or combining datasets; vulnerable data subjects; innovative technology; and processing that prevents exercising a right or using a service. Meeting two or more indicates processing likely to result in a high risk.

Do supervisory authority lists override this?

Yes. Under Article 35(4) each authority publishes processing that always requires a DPIA, and may publish (35(5)) processing that does not. Those lists are authoritative for their Member State and should be checked alongside this assessment.

Free tool

GDPR DPIA necessity checker

Answer nine questions about your processing to see whether a Data Protection Impact Assessment is likely required under GDPR Article 35. Based on the EDPB WP248 rev.01 criteria. A structured assessment, not legal advice.

Based on GDPR Article 35 and EDPB guidelines WP248 rev.01.

Frequently asked questions

Does this tool produce a binding determination?: No. It applies the EDPB WP248 rev.01 criteria and the Article 35(3) cases to your answers and returns a structured assessment. The decision rests with the controller and its DPO, informed by your supervisory authority's published lists. When in doubt, the EDPB recommends carrying out a DPIA.
What is a DPIA?: A Data Protection Impact Assessment is the prior assessment GDPR Article 35 requires for processing likely to result in a high risk. It describes the processing, assesses necessity and proportionality, evaluates the risks to people, and sets out the measures to address them.
When must the DPIA be done?: Before the processing begins; a DPIA is a prior assessment. For ongoing processing, review it whenever the nature, scope, context, or purposes change.
What are the nine EDPB criteria?: Evaluation or scoring; automated decisions with significant effect; systematic monitoring; sensitive or highly personal data; large-scale processing; matching or combining datasets; vulnerable data subjects; innovative technology; and processing that prevents exercising a right or using a service. Meeting two or more indicates processing likely to result in a high risk.
Do supervisory authority lists override this?: Yes. Under Article 35(4) each authority publishes processing that always requires a DPIA, and may publish (35(5)) processing that does not. Those lists are authoritative for their Member State and should be checked alongside this assessment.

By ISMS Copilot. Based on GDPR Article 35 and EDPB guidelines WP248 rev.01.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0