Artifact GuideEU

EU GDPR DPIA and prior consultation workflow

A concrete workflow for deciding whether a DPIA is required, completing the Article 35 assessment, and escalating only when residual high risk triggers Article 36 prior consultation.

Use it for new or materially changed processing that may affect individuals through profiling, large-scale sensitive data, systematic monitoring, vulnerable groups, combined datasets, new technology, or difficult-to-avoid services.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This workflow turns GDPR Articles 35 and 36 into an operating record: screen the processing, document the DPIA, choose measures, reassess residual risk, and keep the evidence needed if supervisory consultation becomes mandatory.

Section 1

1. Screen whether Article 35 requires a DPIA

Start before the processing begins or before a material change is released. Record the processing operation, controller role, purposes, data categories, affected people, systems, suppliers, recipients, storage periods, and countries involved.

A DPIA is required where the nature, scope, context, and purposes of processing, especially when using new technologies, are likely to create high risk for natural persons. Treat the screening as a written decision: either open a DPIA, rely on a recent similar DPIA with the same risk profile, or document why the threshold is not met.

  • Automatic Article 35(3) checks: systematic and extensive automated evaluation or profiling with legal or similarly significant effects; large-scale special-category or criminal-offence data; large-scale systematic monitoring of a publicly accessible area.
  • Additional high-risk indicators from DPC/WP29 guidance: evaluation or scoring, systematic monitoring, sensitive data, large-scale processing, matched or combined datasets, vulnerable data subjects, innovative technology, non-EU transfers, or processing that prevents people from exercising a right or using a service.
  • Large-scale assessment evidence: number or proportion of data subjects, volume and variety of data, duration or permanence of processing, and geographic extent.
  • If the processing meets at least two high-risk indicators but the team decides not to run a DPIA, record the reasons, approver, DPO advice where designated, and the facts that would reopen the screening.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Articles 35 and 36
Article 35 defines when a DPIA is required and lists examples that trigger the assessment.
Data Protection Commission - Guide to Data Protection Impact Assessments
DPC guidance expands the screening criteria, including scoring, monitoring, sensitive data, scale, vulnerable groups, combined datasets, new technology, transfers, and unavoidable service access.
Section 2

2. Build the DPIA record around Article 35 content

The DPIA should be a project record, not a generic privacy memo. Tie it to the processing operation and keep enough detail for an auditor, DPO, or supervisory authority to understand the decision without reconstructing the project history.

Use the CNIL structure to keep the assessment complete: context, fundamental principles, security risks, and validation. Use the DPC template prompts to capture scope, consultation, necessity and proportionality, risks, mitigation, residual risk, sign-off, and review ownership.

  • Context: describe the processing operations, purposes, controller and processor roles, data subjects, data categories, recipients, storage durations, data flows, supporting assets, applicable standards, and intended benefits.
  • Necessity and proportionality: explain lawful basis, purpose limitation, data minimisation, accuracy, retention, transparency, rights handling, processor arrangements, and international-transfer safeguards.
  • Consultation evidence: document DPO advice where a DPO is designated, processor input where processors support the processing, internal stakeholder input, and data-subject or representative views where appropriate.
  • Risk assessment: identify effects on individuals, estimate severity and likelihood, and distinguish confidentiality, integrity, availability, fairness, discrimination, loss of control, financial, physical, reputational, and distress impacts where relevant.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Article 35(7)
Article 35(7) sets minimum DPIA content: processing description, necessity and proportionality, risks, and measures.
CNIL Privacy Impact Assessment Methodology
CNIL structures a PIA around context, fundamental principles, data-security risks, and formal validation.
CNIL Privacy Impact Assessment Templates
CNIL templates identify concrete fields for data, recipients, storage durations, controls, risk mapping, action plans, DPO advice, data-subject views, and validation.
Section 3

3. Choose measures and reassess residual risk

For each identified risk, record the initial likelihood and severity, the specific measure proposed, the owner, the expected effect on risk, and the residual risk after the measure. Do not close the DPIA on a list of broad controls without showing which individual risk each measure reduces.

Measures can change the processing design as well as the security layer. If a risk is created by unnecessary data, avoid it by removing the data. If the risk comes from access, retention, supplier handling, user information, or international transfer, the measure should address that exact cause.

  • Possible design measures: remove a data category, shorten retention, narrow recipients, avoid a combined dataset, drop an automated-decision feature, or let people use the service without the high-risk processing where feasible.
  • Possible governance measures: improve privacy notices, rights workflows, processor contracts, transfer controls, staff training, approval gates, incident handling, and evidence retention.
  • Possible security measures: access control, encryption, pseudonymisation, anonymisation where suitable, logging, backup, partitioning, vulnerability management, and operational controls around supporting assets.
  • Record accepted residual risks explicitly. If a residual high risk remains after measures, do not treat management acceptance as a substitute for Article 36 consultation.
Sources for this answer
Data Protection Commission - Guide to Data Protection Impact Assessments
DPC guidance describes identifying solutions, recording accepted risks, and using a risk register to track likelihood, impact, measures, and residual risk.
CNIL Privacy Impact Assessment Methodology
CNIL recommends mapping initial and residual risks by severity and likelihood and preparing an action plan with responsible persons, cost, and timeframe.
ENISA Handbook on Security of Personal Data Processing
ENISA provides supporting security-control context for selecting technical and organisational measures for personal-data processing.
Section 4

4. Trigger prior consultation only for unmitigated high risk

Article 36 prior consultation is a specific escalation point. The trigger is not simply that a DPIA was required; it is that the DPIA indicates the processing would result in high risk in the absence of measures taken by the controller to mitigate the risk.

Before consulting, assemble the package Article 36 expects. Keep the workflow jurisdiction-neutral unless a specific supervisory authority and national procedure have been verified from current official sources.

  • Consultation trigger: the controller has completed the DPIA, applied or selected measures, and residual high risk still remains or the risk has been insufficiently identified or mitigated.
  • Consultation package: controller, joint-controller, and processor responsibilities; purposes and means; safeguards and measures; DPO contact details where applicable; the DPIA; and any further information the authority requests.
  • GDPR response period: the supervisory authority provides written advice within up to eight weeks of receiving the request, may extend by six weeks for complexity, and may suspend the period while waiting for requested information.
  • Do not invent local forms, portals, fee rules, or mandatory publication steps. Use the competent authority's current official materials before operationalising a national filing process.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Article 36
Article 36 defines the prior-consultation trigger, expected information package, and GDPR response periods.
Data Protection Commission - Guide to Data Protection Impact Assessments
DPC guidance states that consultation is required when identified risks cannot be managed and residual risk remains high.
Section 5

5. Evidence checklist for closing or reopening the workflow

Close the workflow only when the screening decision, DPIA contents, measures, residual-risk decision, and consultation assessment are all traceable to the same processing operation. If the product, data, threat environment, provider model, or affected population changes, reopen the screen and decide whether the DPIA needs review.

Keep the evidence concise but durable. The goal is to prove the controller knew the risks, selected measures, considered affected people and DPO advice where required, and escalated when Article 36 required it.

  • Screening record: Article 35(3) checks, DPC/WP29 high-risk indicators, national DPIA list checked where applicable, and reason for DPIA/no-DPIA decision.
  • DPIA record: processing description, purposes, necessity and proportionality assessment, stakeholder views, data-subject views or reason not sought, DPO advice, risk register, measures, residual-risk map, and sign-off.
  • Implementation proof: completed action plan, system changes, retention settings, access rules, processor evidence, notices, rights workflows, transfer safeguards, training, and security-control verification.
  • Reopen triggers: new technology, new purpose, changed dataset or matching logic, expanded scale or geography, new vulnerable population, changed transfer destination, new threat or vulnerability, incident findings, or residual-risk measures that did not work.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Article 35(11)
Article 35(11) requires review where necessary, at least when the risk represented by processing operations changes.
Data Protection Commission - Guide to Data Protection Impact Assessments
DPC guidance emphasises good record keeping, integration of DPIA outcomes into project plans, and review when processing changes.
CNIL Privacy Impact Assessment Methodology
CNIL describes the PIA as a continuous improvement process updated when significant change occurs.
Recommended next step

Use this workflow to screen, assess, mitigate, and escalate residual high risk

Sorena can help turn your DPIA screening, risk register, mitigation plan, DPO advice, and prior-consultation package into a source-linked operating record.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about DPIA triggers, Article 35 content, residual high risk, and Article 36 prior consultation.

Explore next step
Talk to Sorena
Talk through implementation

Review your DPIA workflow, evidence gaps, mitigation plan, and prior-consultation decision with Sorena.

Explore next step
Primary sources

References and citations

CNIL Privacy Impact Assessment Templates
cnil.fr
Referenced sections
  • CNIL templates identify concrete fields for data, recipients, storage durations, controls, risk mapping, action plans, DPO advice, data-subject views, and validation.
"templates may have to be adapted"
Regulation (EU) 2016/679 (GDPR), Article 35(11)
eur-lex.europa.eu
Referenced sections
  • Article 35(11) requires review where necessary, at least when the risk represented by processing operations changes.
"where necessary, the controller shall carry out a review"
Regulation (EU) 2016/679 (GDPR), Article 35(7)
eur-lex.europa.eu
Referenced sections
  • Article 35(7) sets minimum DPIA content: processing description, necessity and proportionality, risks, and measures.
"The assessment shall contain at least"
Regulation (EU) 2016/679 (GDPR), Article 36
eur-lex.europa.eu
Referenced sections
  • Article 36 defines the prior-consultation trigger, expected information package, and GDPR response periods.
"The controller shall consult"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.