EDPB Releases New 2026 DPIA Template for Public Consultation

Escrito por Commercial 4Easy PRRC

The European Data Protection Board (EDPB) has published a new Template [2026] for Data Protection Impact Assessments (DPIAs), together with an explainer document. The template was adopted on 10 March 2026 and is currently subject to public consultation.

A structured approach to DPIA documentation

The EDPB explains that the template is intended as a standardised tool for documenting DPIAs, providing a structured format to capture the key elements required under the GDPR.

According to the document, the template:

  • Includes pre-defined fields to guide users

  • Ensures that a minimum set of information is consistently documented

  • Supports accurate and complete reporting, while helping to minimise errors

  • Is designed to be usable by both controllers and supervisory authorities

The EDPB also clarifies that the template does not impose a specific DPIA methodology. Controllers may continue using their preferred risk assessment approaches, while using the template to record the results in a consistent format.

Key elements covered in the template

As outlined in the document (see structure on pages 3–4), the template follows a comprehensive structure, including:

  • Overview of the processing, including controllers, processors, and scope

  • Systematic description of processing, such as:

    • Types of personal data processed

    • Purpose(s) of processing

    • Nature, scope, and context

  • Analysis of compliance, including:

    • Legal basis under GDPR

    • Data minimisation and retention

    • Measures supporting compliance with GDPR principles

  • Assessment of necessity and proportionality

  • Risk assessment and management, including:

    • Identification of risks

    • Mitigation measures

    • Residual risk evaluation

  • Involvement of stakeholders, including DPO input

  • Conclusion and decision on processing viability

The explainer highlights the importance of consistency across sections and encourages users to establish clear links between different parts of the assessment.

Considerations for manufacturers

While the document is addressed broadly to GDPR controllers, it may be relevant for medical device manufacturers where they act as controllers of personal data.

In particular, the template:

  • Requires detailed descriptions of data processing activities, including data lifecycle and flows

  • Emphasises documentation of technical and organisational measures, including security and data protection by design

  • Introduces a structured approach to risk identification, assessment, and mitigation

  • Includes assessment of necessity and proportionality of processing activities

Manufacturers developing devices that process personal data, including health data, may therefore wish to review whether their existing DPIA documentation aligns with this structure.

Next steps

The template is currently under public consultation, and the EDPB may issue further updates following stakeholder feedback.

Final note

This new template reflects the EDPB’s ongoing efforts to promote consistency and clarity in DPIA documentation across the EU. Organisations subject to GDPR requirements may consider reviewing the template to understand its structure and potential implications for their internal processes.

Read the full document below.

Commercial 4Easy PRRC https://www.4easyprrc.com
Anterior

MHRA Updates Guidance on Archiving and Retention of Clinical Trial Records
Próximo

FDA Issues Draft Guidance on NGS-Based Safety Assessment for Genome Editing Therapies