The European Data Protection Board (the “EDPB”) recently published a draft template Data Protection Impact Assessment (“DPIA”). Following its Helsinki Statement on 2 July 2025, the EDPB promised to undertake initiatives to facilitate easier GDPR compliance, empower responsible innovation, and reinforce competitiveness in Europe. The template is aimed at helping organisations structure, harmonise and evidence their DPIA reporting processes and is complemented by an explainer document to assist organisations to complete the template effectively.
Background
Pursuant to Article 35 GDPR, data controllers must carry out a DPIA where a data processing operation that it proposes to carry out is likely to result in a “high risk” to the rights and freedoms of natural persons. A DPIA shall, in particular, be required where a controller is utilising new technologies; carrying out systematic and extensive automated processing (including profiling) or large-scale processing of special category data, or large-scale systematic monitoring of publicly accessible areas.
Article 35(7) GDPR requires a DPIA to set out (at least): (a) a description of the envisaged processing operations and purposes of processing; (b) an assessment of whether the processing is necessary and proportionate in light of the purpose of the processing; (c) an assessment of the risks to the rights and freedoms of individuals, and (d) identification of the measures (including safeguards) envisaged to address and minimise those risks and demonstrate compliance with the GDPR.
DPIAs are important tools for navigating risk, and for demonstrating compliance with the GDPR. The EDPB template aims to support organisations with providing this mandatory information. The requirement to carry out a DPIA can apply to not only to firms that deploy new technologies, or carry out advanced automated processing or profiling of data subjects, but to any firms which are considering more ‘commonplace,’ but potentially high risk, data processing operations, such as using CCTV in the workplace or carrying out other forms of employee monitoring or tracking. Until now, there has been limited guidance in the GDPR on how DPIAs should actually be completed (other than the content requirement in Article 35(7) GDPR), and any national guidance or templates published by supervisory authorities across the EU.
The EDPB template
It is not mandatory for organisations to use the new EDPB template. Data controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. The EDPB highlights that the template will allow data controllers to benefit from predefined fields that prompt complete and structured responses, which will help ensure that all necessary information is captured accurately, while minimising the risk of errors and saving time.
The EDPB template is also complemented by an explainer document, which provides explanations for completing the template effectively, by breaking down key concepts and addressing possible questions and knowledge gaps. The EDPB template breaks down the information required in order to satisfy the content requirements set out in Article 35(7) GDPR (a)-(d) (as discussed above).
Implications for businesses
For Irish businesses, the EDPB template can be used in conjunction with the existing Data Protection Commission (“DPC”) Guide to Data Protection Impact Assessments adopted in October 2019, to ensure that a DPIA conforms to the requirements of the DPC and Article 35(7) GDPR. It is worth noting that many data supervisory authorities across the EU have published their own DPIA guides and templates, and this was a core rationale for the adoption of a harmonised template. This is relevant as, if during the DPIA process a data controller has identified risks that cannot be managed and the residual risk remains high, the data controller must consult with the competent data protection authority before moving forward with the project, in line with Article 36 GDPR. In this regard, a data protection authority’s prior consultation process can take up to eight weeks (which may be extended by a further six weeks taking into account the complexity of the intended processing). This timeline may have implications for project timelines and should be factored into governance planning by controllers. Even if prior consultation is not required, the DPIA may be reviewed by the competent data protection authority at a later date in the event of an audit or investigation arising from the data processing operations.
Next steps
The EDPB template will be subject to public consultation until 9 June 2026, providing stakeholders with the opportunity to comment and provide feedback. Following the public consultation, all supervisory authorities will initiate the necessary steps to adopt this template either as their sole standard or as a ‘meta-template’ to which national-specific templates will align.
Looking beyond the immediate consultation, a broader legislative development may ultimately make use of the EDPB’s template a mandatory requirement across the EU. This is due to the fact that the proposed Digital Omnibus Regulation 2025/0360 (discussed here and here) seeks to provide for both:
- a harmonised list of the processing activities that require and do not require a DPIA (created by the EDPB) thereby contributing to the harmonisation of the notion of “high-risk” under Article 35 GDPR; and
- a common template and methodology for conducting a DPIA (created by the EDPB).
The European Commission would be required to adopt these documents by an implementing act, after reviewing them, as necessary. It remains to be seen whether these proposals will be included in the final Regulation, once agreed.
Conclusion
In light of the fact that the EDPB’s template may become mandatory to use, and at the very least best practice to use, it would be prudent for data controllers to take steps now to review the template against their standard templates, and provide feedback during the consultation period.
The EDPB DPIA template is part of a wider EDPB initiative (as set out in the Helsinki Statement) to produce a suite of ready-to-use GDPR compliance tools for organisations. The EDPB’s Work Programme 2026–2027 includes the development of templates for: data breach notifications, legitimate interest assessments, records of processing activities, and privacy notices/policies, in addition to the DPIA template.
Key takeaways:
- The EDPB has adopted a standard DPIA template, open for public consultation until 9 June 2026.
- Use of the EDPB template is currently voluntary, and organisations should consider submitting feedback to the EDPB before the consultation deadline as the Digital Omnibus Regulation (once finalised) could ultimately make a standardised DPIA template mandatory across the EU.
- Irish data controllers should use the EDPB template alongside the DPC’s DPIA Guidance.
Contact us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.