The DPIAs sub-module in Venvera supports the creation, management, and documentation of Data Protection Impact Assessments as required by Article 35 of the GDPR. A DPIA is a process designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data. This article explains every field, workflow step, and feature in the DPIA management interface.

When Is a DPIA Required?

Under Art. 35(1), a DPIA is mandatory when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, particularly when using new technologies. Art. 35(3) provides three specific cases where a DPIA is always required:

  • Systematic and extensive profiling with significant effects on individuals (Art. 35(3)(a))
  • Large-scale processing of special category data or data relating to criminal convictions (Art. 35(3)(b))
  • Systematic monitoring of publicly accessible areas on a large scale (Art. 35(3)(c))

Additionally, your national supervisory authority may publish a list of processing operations that require a DPIA (Art. 35(4)) or that do not require one (Art. 35(5)). Consult these lists when deciding whether a DPIA is needed.

Accessing DPIAs

Step 1: Navigate to DPIAs

From the sidebar, expand GDPR and click DPIAs. The main view displays a table listing all DPIA records with their title, linked processing activity, status, and last updated date.

Step 2: Create a New DPIA

Click Add DPIA in the top-right corner. The creation form opens with all fields ready to be populated. New DPIAs default to "Pending" status.

Step 3: Complete the Assessment

Work through each section of the DPIA form: describe the processing, assess necessity and proportionality, evaluate risks, document mitigation measures, and record the DPO's opinion. Each section can be saved independently, allowing you to complete the DPIA over multiple sessions.

Step 4: Review and Finalize

Once all sections are complete, change the status to "Completed" or "Under Review" depending on whether further discussion is needed. A completed DPIA is retained as a compliance record and can be referenced by the linked processing activity.

DPIA Form Fields

FieldTypeStatusDescription
Title Text Required A descriptive title for the DPIA. This should clearly identify the processing activity or project being assessed. Examples: "DPIA - Employee Health Monitoring Program", "DPIA - Customer Behavioral Analytics Platform", "DPIA - CCTV Deployment in Public Lobby". Use consistent naming conventions for easy identification in the list view.
Linked Processing Activity Dropdown (from ROPA) Optional Select the processing activity from your ROPA that this DPIA assesses. Linking the DPIA to a processing activity creates a bidirectional reference — the processing activity detail view will show the linked DPIA, and the DPIA will inherit context from the processing activity (such as data categories, data subjects, and legal basis). If the processing activity has not yet been created in the ROPA, you can leave this blank and link it later.
Description Rich Text Area Required A comprehensive description of the processing operations, as required by Art. 35(7)(a). This should include:
  • The nature of the processing (what operations are performed on the data)
  • The scope (volume of data, geographic coverage, number of data subjects)
  • The context (relationship between controller and data subjects, expectations of data subjects)
  • The purposes of the processing (why the data is being processed)
  • The technology used (systems, platforms, algorithms, automated decision-making)
  • Data flows (where data comes from, where it goes, who has access)
This field supports rich text formatting including headings, bullet points, and tables to help you structure the description clearly.
Necessity & Proportionality Assessment Rich Text Area Required An assessment of the necessity and proportionality of the processing in relation to the purposes, as required by Art. 35(7)(b). This section should document:
  • Necessity: Why is this processing necessary? Could the same purpose be achieved with less data or less intrusive processing? Is the processing limited to what is necessary for the stated purpose?
  • Proportionality: Is the extent of the processing proportionate to the purpose? Does the benefit to the controller or public outweigh the impact on data subjects? Are there less privacy-invasive alternatives?
  • Legal basis justification: How does the chosen legal basis under Art. 6(1) apply? If relying on legitimate interests, document the balancing test. If relying on consent, explain how consent meets the GDPR's requirements (freely given, specific, informed, unambiguous).
  • Compliance with data protection principles: How does the processing comply with each principle in Art. 5 (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)?
Risk Assessment Rich Text Area Required An assessment of the risks to the rights and freedoms of data subjects, as required by Art. 35(7)(c). This section should systematically identify and evaluate:
  • Risk sources: Who or what could cause harm? (unauthorized access, system failure, human error, malicious actors, excessive data collection)
  • Potential impacts: What harm could data subjects suffer? (discrimination, identity theft, financial loss, reputational damage, loss of confidentiality, physical harm, restriction of rights)
  • Likelihood: How probable is each risk? Rate as Low, Medium, High, or Very High with justification.
  • Severity: How serious would the impact be? Rate as Low, Medium, High, or Very High with justification.
  • Overall risk level: Combine likelihood and severity to determine overall risk for each identified risk.
Consider using a risk matrix approach: list each risk with its likelihood, severity, and overall level in a structured format.
Mitigation Measures Rich Text Area Required The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure protection of personal data, as required by Art. 35(7)(d). For each risk identified in the Risk Assessment section, describe:
  • The specific control or measure that will mitigate the risk
  • Whether the measure is already implemented or planned
  • The expected residual risk after the measure is applied
  • The responsible person or team for implementing the measure
  • The timeline for implementation if the measure is planned
Measures may include technical controls (encryption, access controls, pseudonymization, automated deletion), organizational measures (policies, training, audits), and contractual safeguards (DPAs, SCCs).
DPO Opinion Rich Text Area Optional The opinion of the Data Protection Officer on the DPIA, as required by Art. 35(2). The DPO should provide an independent assessment of whether:
  • The DPIA has been conducted correctly and comprehensively
  • The identified risks are complete and accurately assessed
  • The proposed mitigation measures are adequate to reduce risks to an acceptable level
  • The processing can proceed as described, with modifications, or should not proceed
  • Prior consultation with the supervisory authority is required under Art. 36 (if residual risks remain high)
If your organization does not have a DPO, this field can be used to record the opinion of the person responsible for data protection.
Status Dropdown Required The current status of the DPIA:
  • Pending — The DPIA has been created but is not yet complete. One or more sections may be missing or under development. Processing should not begin until the DPIA is completed, unless urgent circumstances apply.
  • Completed — The DPIA has been fully assessed, all sections are populated, the DPO opinion has been recorded, and the decision to proceed (or not) has been made. Completed DPIAs are retained as compliance records.
  • Under Review — The DPIA is being reviewed, either as part of a periodic review cycle or because circumstances have changed (new data categories, new technology, new risks). Under Review DPIAs should be updated and returned to Completed status promptly.
Prior Consultation (Art. 36)

If, after completing the DPIA and applying mitigation measures, the residual risk to data subjects remains high, you must consult with your supervisory authority before proceeding with the processing. Document this requirement in the DPO Opinion field and initiate the consultation process. Venvera does not automate supervisory authority communication, but the DPIA export can be submitted as part of the consultation package.

When DPIAs Are Required

Beyond the three mandatory cases in Art. 35(3), the European Data Protection Board (EDPB) guidelines (WP 248 rev.01) provide nine criteria that indicate high-risk processing. A DPIA is generally required when the processing meets two or more of the following criteria:

  1. Evaluation or scoring (including profiling and predicting)
  2. Automated decision-making with legal or similarly significant effect
  3. Systematic monitoring
  4. Sensitive data or data of a highly personal nature
  5. Data processed on a large scale
  6. Matching or combining datasets
  7. Data concerning vulnerable data subjects (children, employees, patients)
  8. Innovative use or applying new technological or organizational solutions
  9. Processing that prevents data subjects from exercising a right or using a service or contract
Tip: DPIA Review Cycle

Art. 35(11) requires that DPIAs be reviewed when there is a change in the risk represented by the processing. Best practice is to review DPIAs at least annually, or whenever there is a significant change to the processing activity (new data categories, new technology, new recipients, change in scale). Set a calendar reminder or use Venvera's review date tracking to ensure timely reviews.

Exporting DPIAs

Individual DPIAs can be exported as PDF documents that include all fields, the full risk assessment, mitigation measures, and DPO opinion. The export is formatted as a professional document suitable for submission to supervisory authorities as part of an Art. 36 prior consultation, or for internal records and audit evidence. You can also export a summary list of all DPIAs in CSV format for management reporting.