GDPR Article 35: Data protection impact assessment (DPIA)

All 99 Articles Chapter 4: Controller and Processor

Before high-risk processing — large-scale monitoring, sensitive data, new technologies — you must run a DPIA to identify and mitigate the risks. AI deployments frequently trigger this.

Key points

Required for processing likely to result in a high risk.
Must describe the processing, assess necessity and proportionality, and address risks.

Read the official text on EUR-Lex

36Prior consultation 25Data protection by design and by default 9Processing of special categories of personal data 22Automated decision-making and profiling

Practical guidance

The GDPR Compliance Checklist for 2026: A Practical 12-Step Guide

In the news

The EU AI Act enters into force — and it runs on top of the GDPR

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 35?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer

Back to all articles

Article 35 — Data protection impact assessment (DPIA)

Key points

Related articles