# DPIA Generator
> Source: https://legalcode.md/use-cases/dpia | [HTML version](https://legalcode.md/use-cases/dpia)

GDPR-compliant DPIAs — without uploading your data processing details to a cloud platform.

Data Protection Impact Assessments are required under GDPR Article 35 for high-risk processing activities. Legalcode's DPIA skill guides your agent through the full ICO/EDPB-aligned methodology — identifying processing activities, assessing necessity and proportionality, evaluating risks, and documenting mitigations.

## How It Works

1. **Describe the processing activity to your local agent** -- Tell the agent what data is being processed, by whom, for what purpose, and in which jurisdictions. This description stays in your local session — Legalcode is queried only for the EDPB criteria and regulatory framework.

2. **Skill applies EDPB screening criteria** -- The skill runs the European Data Protection Board's nine-criterion screening to determine whether a formal DPIA is mandatory, then proceeds with the structured assessment.

3. **Risk matrix populated** -- The agent identifies risks to data subjects (likelihood × severity), maps them to the processing steps, and suggests technical and organisational measures to mitigate each risk.

4. **DPIA document drafted** -- A complete DPIA document is generated in the required format — including processing description, lawful basis, necessity and proportionality analysis, risk assessment, and DPO consultation status.

## Outputs

- DPIA necessity screening report (EDPB nine-criteria test)
- Processing activity description in Article 30 register format
- Risk matrix (likelihood × severity, per risk)
- Technical and organisational measures (TOMs) list
- Residual risk assessment
- Complete DPIA document ready for DPO review

## Jurisdictions

EU, UK, DE, FR, IE, NL, SE, NO, IS, CH

## FAQ

### Does the skill cover UK GDPR as well as EU GDPR?

Yes. The skill applies both EU GDPR (supervised by the EDPB and national DPAs) and UK GDPR (supervised by the ICO). It flags divergences between the two regimes where they affect the DPIA output.

### My processing descriptions contain sensitive internal details. Are they safe?

Your processing activity descriptions never leave your device. The agent works locally with your descriptions and queries Legalcode only for the regulatory framework — GDPR articles, EDPB guidance, DPA positions. Zero data retention applies to all search content.

### Can the output be used as the final DPIA for regulatory purposes?

The output is designed to be a substantive starting point for DPO review, not a final signed-off document. Your DPO should review, validate, and sign the DPIA before it is relied upon.

### What if the processing activity involves AI systems?

The skill includes an AI-specific risk module that addresses algorithmic decision-making, profiling, and the intersection of GDPR Article 22 with the EU AI Act's high-risk AI system requirements.

---
*Legalcode -- legalcode.md*