European Union: European Data Protection Board opened consultation on template for data protection impact assessments

On 14 April 2026, the European Data Protection Board opened a consultation on a template for data protection impact assessments under the General Data Protection Regulation (GDPR), until 9 June 2026. The template applies to controllers undertaking high-risk processing activities, including large-scale processing of special categories of personal data, systematic monitoring of publicly accessible areas, automated decision-making with legal or similarly significant effects on individuals, profiling, matching or combining datasets, and processing involving vulnerable data subjects. It requires controllers to document a systematic description of the processing activity covering data types, purposes, data flows, and supporting technical assets, and analyse lawfulness under Article 6 of the GDPR, including legitimate interests balancing tests where applicable. It also requires controllers to demonstrate compliance with data minimisation, retention, and data quality obligations and detail measures supporting data subjects' rights, data protection by design and by default, and security of processing. Controllers must further assess the necessity and proportionality of the processing, conduct an inherent risk assessment identifying threats arising both from deliberate design choices and from accidental or unlawful events, and develop an action plan setting out additional mitigating measures alongside a residual risk assessment. The template also requires documentation of the Data Protection Officer's advice and, where appropriate, the views of data subjects or their representatives, before concluding with a formal decision to approve, conditionally approve, reject, or refer the processing to the relevant supervisory authority.