---
title: Data Protection Impact Assessment (DPIA)
type: concept
tags: [dpia, gdpr, accountability, ai-act, privacy-by-design, legal, regulatory-risk]
sources: ["[[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]]", "[[sources/gdpr-article-22-text]]", "[[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]]"]
created: 2026-04-27
updated: 2026-04-27
---

# Data Protection Impact Assessment (DPIA)

A structured pre-processing risk assessment mandated by **Article 35 GDPR** when a type of processing is likely to result in high risk to the rights and freedoms of natural persons — particularly when [[concepts/automated-decision-making|ADM]] / new technologies are involved. **Positioned in the legal-risk cluster as the central governance tool for demonstrating that human intervention under [[concepts/gdpr-article-22|Art. 22]] is *meaningful*.**

## When is a DPIA mandatory

Article 35(3) GDPR — DPIA is mandatory in particular for:
- **(a)** Systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and on which decisions are based that produce legal effects or similarly significantly affect the natural person.
- **(b)** Processing on a large scale of special categories of data (Art. 9(1)) or data on criminal convictions.
- **(c)** Systematic monitoring of publicly accessible areas on a large scale.

Note: Art. 35(3)(a) **does not require the processing to be solely automated** — it applies to AMD systems whether based solely on automated processing or not.

## Required content (Art. 35(7))

A DPIA shall contain at least:
1. Systematic description of envisaged processing operations and purposes (including legitimate interests pursued).
2. Assessment of the necessity and proportionality of processing in relation to purposes.
3. Assessment of the risks to data subjects' rights and freedoms.
4. Measures envisaged to address risks — safeguards, security measures, mechanisms to ensure protection and demonstrate compliance.

## DPIA as institutional check

Per [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance|Lazcoz & de Hert 2023]] (Section 11):

- DPIAs provide a **continuous evaluation** of human-intervention meaningfulness — they are not a one-time exercise.
- They allow controllers to demonstrate that the human agents to whom oversight is assigned actually contribute to lawful, fair, accurate processing.
- They sit **between** the individual rights perspective and the systemic accountability perspective.
- They can be used to detect [[concepts/automation-bias|automation bias]] and cost-and-incentive structures that push human reviewers toward routine sign-off.

## Limitations

- DPIAs are mainly **self-assessment** tools — vulnerable if Supervisory Authorities are under-resourced.
- They cannot detect automation bias on a per-decision basis — institutional review (e.g. statistical analysis of override rates) is required.
- The "envisaged" nature of DPIA assumes stable processing — agentic AI breaks this assumption (see [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai|Navaie 2025]]).

## Connection to AI Act

[[concepts/eu-ai-act|AI Act]] **Article 29(6) AIA** explicitly requires users (= GDPR controllers) of high-risk AI systems to use the information provided by AI providers under the transparency requirement (Art. 13(3)(d) AIA) — particularly information about human-oversight measures — to comply with their obligation to carry out a DPIA under Art. 35 GDPR.

This is described by Lazcoz & de Hert as "a beautiful example of how the AIA tries to interact and boost the accountability duties contained in the GDPR" (p. 9).

## Enforcement examples

The Italian DPA (Garante) fined:
- **Foodinho €2,600,000** — using discriminatory algorithms to manage food-delivery riders, violation of Art. 22 + **Art. 35 (failure to conduct DPIA)**.
- **Deliveroo €2,500,000** — same combination shortly afterwards.

These cases illustrate that Art. 35 DPIA-failure is treated as a substantive violation alongside Art. 22 violations — DPIA is not merely procedural.

## DPIA evidence in agentic contexts

Per [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai|Navaie 2025]], in agentic AI stacks the **execution traces** that record plans, tool calls, data categories, and state changes are simultaneously DPIA evidence and AI Act Art. 12 log evidence — one artefact serving both compliance regimes.

This is a significant operational consequence: privacy engineering and AI governance teams should not produce separate audit artefacts.

## Related

[[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/human-oversight]] · [[concepts/eu-ai-act]] · [[concepts/gdpr-accountability-principle]] · [[concepts/data-protection-by-design]]