DPIA Information Organisation DPO Name DPO Email Start Date Project Name Project Description
Scale Small (<10K) Medium (10K-1M) Large (>1M) Retention (months) Residual Risk Low Medium High
Special category personal data (KVKK Art. 6) Systematic monitoring Publicly accessible area Involves AI systems Automated decisions with legal effect Profiling Vulnerable groups (children, employees) Cross-border transfer
Transfer Destinations Transfer Mechanism Adequacy decision country (Art. 45) Standard Contractual Clauses (SCC) + Transfer Impact Assessment (TIA) Binding Corporate Rules (BCR) Explicit consent (derogation, Art. 49) Written undertaking + DPA authorisation
Legal Basis and Processing Details Legal basis (GDPR Art. 6 / KVKK Art. 5) — multiple selectable ✓ Consent (Art. 6(1)(a)) Performance of a contract (Art. 6(1)(b)) Legal obligation (Art. 6(1)(c)) Vital interests (Art. 6(1)(d)) Public task / official authority (Art. 6(1)(e)) ✓ Legitimate interest (balancing test required) (Art. 6(1)(f))
Legitimate Interest Assessment (LIA) Processing Purposes Data Flow (Lifecycle) Processors Data Subject Rights Mechanism
EDPB WP248 — High-Risk Criteria DPIA considered mandatory if 2 or more are met. Select those that apply:
✓ Evaluation or scoring (profiling, credit scoring, performance prediction) Automated decision-making with legal or similar significant effect Systematic monitoring (CCTV, employee monitoring, public area surveillance) Sensitive data or data of a highly personal nature (health, biometric, financial, location) Data processed on a large scale Matching or combining datasets Data concerning vulnerable data subjects (children, employees, patients, elderly) ✓ Innovative use of new technology (AI/ML, IoT, facial recognition) Processing that prevents data subjects from exercising a right or using a service
Identified Risks (3) + Add from risk catalog… Unauthorised Access (Data Breach) Data Exfiltration Unwanted Data Modification Data Loss / Unavailability Re-identification Function Creep Excessive Retention Processor Risk Lack of Transparency Failure to Honour Data Subject Rights Algorithmic Discrimination / Bias Lack of Explainability (Black-box) Training Data Leakage (Memorization) + Add Risk
Technical Measures Organisational Measures
Stakeholder Consultation (Art. 35(9)) DPO Opinion Other Consultations (data subject representatives, processor, security) Generate DPIA Document