Skill

legalcode-eu-dpia-assessment

Perform EU Data Protection Impact Assessments (DPIAs) under GDPR Article 35, EDPB Guidelines WP 248 rev.01, EDPB Opinion 28/2024 (AI/ML systems), EDPB Guidelines 01/2025 (Pseudonymisation), and national supervisory authority (SA) blacklists. Triggers on: "DPIA", "DSFA", "Datenschutz-Folgenabschätzung", "évaluation d'impact", "AIPD", "Data Protection Impact Assessment", "impact assessment", "Art. 35", "Art. 36", "do I need a DPIA", "high-risk processing", profiling, AI systems, biometrics, special categories of data, large-scale monitoring, employee surveillance, connected vehicles, smart cities, genetic data, prior consultation questions, Art. 36 submission preparation, and any vendor or processor involvement in high-risk processing. Covers: threshold assessment (Art. 35(3) mandatory triggers + nine EDPB criteria + multi-jurisdictional national blacklist analysis), systematic description (Art. 35(7)(a)), necessity and proportionality (Art. 35(7)(b)), risk assessment with 5×5 scoring matrix (Art. 35(7)(c)), mitigation measures (Art. 35(7)(d)), residual risk framing, Art. 36 prior consultation threshold and package preparation, DPO involvement (Art. 35(2)), data subject consultation (Art. 35(9)), AI/ML dual-phase DPIA per EDPB Opinion 28/2024, AI Act FRIA interaction, vendor and processor DPIA obligations (Art. 28), and authority-facing documentation standards. EU/EEA-specific with national SA coverage for Germany (DSK), France (CNIL), Netherlands (AP), Ireland (DPC), Belgium (APD), Italy (Garante), and Poland (UODO). Use as the native Legalcode DPIA assessment workflow, replacing any imported DPIA tooling.