AI projects trigger GDPR Article 35 more often than almost any other kind of processing: model training on personal data, automated decisions, systematic monitoring, RAG over personal data stores. This template gives you a complete AI-specific DPIA: a screening checklist built on the EDPB criteria, a processing description shaped around training and inference, a pre-seeded risk register, and the consultation and sign-off records a supervisory authority expects to see.
A DPIA is mandatory when processing is likely to result in a high risk to individuals. Three GDPR Article 35(3) cases always require one, and under the EDPB guidelines a DPIA is required when two or more of nine risk criteria are met. These AI patterns are where projects most often cross the line.
Rule of thumb from the EDPB guidelines: two or more of the nine criteria means a DPIA is required, and one can be enough. The ICO treats AI as innovative technology, so AI plus any other criterion requires a DPIA under its UK list. If in doubt, do the DPIA.
Seven parts take you from screening to sign-off, with every table pre-structured for AI processing.
Article 35(3) triggers, the EDPB nine criteria with AI-specific interpretations, and a documented screening outcome.
Purpose, lawful basis, data categories and sources, training vs inference data flows, model provider and hosting locations, retention, and subprocessors.
Ten evidence-based questions covering minimization, alternatives to AI, transparency, data subject rights, and Article 22 safeguards.
A pre-seeded register of ten AI-specific risks to data subjects, scored by likelihood and severity: memorization, bias, sensitive inference, RAG overexposure, and more.
A mitigation table mapped to each risk, with owners, status, and residual risk scoring, plus the Article 36 consultation trigger.
DPO consultation record, sign-off table, outcome integration checklist, and a review schedule with AI-specific triggers like model changes.
The two assessments overlap but answer different questions. Most AI governance programs need both: run the AI impact assessment to decide whether and how to deploy responsibly, and the DPIA to satisfy GDPR obligations wherever personal data is involved.
This template
Broader, voluntary or policy-driven
You cannot assess what you cannot see. Aona discovers every AI tool in use across your organization, shows what personal data flows into them, and gives you the audit-ready inventory your DPIAs depend on.