EDPB's first-ever DPIA template finally lands - but experts want more

The European Data Protection Board on 10 March 2026 adopted its first standardised template for conducting Data Protection Impact Assessments, a structured document designed to help organisations across the EU carry out and record the mandatory privacy risk assessments required under the General Data Protection Regulation. The release, published as version 1.0, was opened immediately for public consultation, with a deadline for feedback set at 9 June 2026.

The template and its accompanying explainer document have arrived almost eight years after the GDPR became applicable in May 2018 - a gap that privacy professionals on LinkedIn were quick to note, with some calling it "mind boggling" that the Board had not acted sooner. Others welcomed the standardisation as a practical step toward harmonisation across the EU's 27 national supervisory authorities.

What the template covers

According to the EDPB, the template can be used as a data entry for DPIA documenting and reporting. It is built around pre-defined fields that prompt complete and structured responses, and is designed to be accepted by all supervisory authorities across EU member states. The Board makes clear the document does not supersede existing national or sectoral DPIA methodologies. Controllers can conduct their risk analysis and management processes using the DPIA methodology of their choice, and the template provides a minimum standard of what must be recorded.

The document itself runs to six substantive sections, preceded by a zero section covering the processing overview. Section zero alone requires controllers to identify the GDPR controller and all relevant contact details, processors and sub-processors with their defined obligations, the internal name of the processing activity, a planning schedule with launch and end dates, and a DPIA technical sheet listing the team involved, the reference materials consulted, and the reasons why a DPIA was conducted.

From there, the template asks controllers to produce a systematic description of the processing in section one. This breaks into a high-level description - covering the categories of personal data involved, the specific purposes of processing, any secondary or compatible uses, and the nature, scope, and context of the activity - as well as a functional description and a means-of-processing section. The functional description, set out in field 19, requires a full account of the data lifecycle from collection through to deletion, covering how data is sourced, what operations are performed on it, where and how it is stored, what sharing or transfers to third parties or outside the EU take place, and what methods are used for permanent erasure.

Technical architecture and asset inventories

Section 1.3 of the template introduces a particularly detailed requirement: an inventory of the supporting assets involved in the processing. According to the EDPB, an asset typically refers to any resource, tangible or intangible, used to process personal data. The Board lists the following asset categories as examples: hardware, infrastructure, and network assets such as servers, laptops, mobile devices, storage media, scanners, and VPN gateways; software including database engines and business applications; APIs and models; personnel including users, administrators, developers, operators, support staff, and decision-makers; sites and premises such as data centres and archives; and organisational assets including policies, procedures, and contracts with processors and sub-processors.

The template instructs controllers to include assets whose compromise would plausibly impact rights and freedoms in a non-trivial way - for example, assets directly storing or processing personal data, assets that control access or protect data, and exposed or high-impact components such as public-facing portals, APIs, or data-sharing interfaces to third parties. Very small, generic, or easily substitutable elements need not be listed individually. Assets should be grouped by logical module, technical layer, or function. For ad tech and marketing technology organisations, this section carries immediate practical significance. An advertising data management platform, for instance, would need to list its data ingestion APIs, its audience segmentation models, its integration interfaces with demand-side platforms, and any third-party data providers processing personal data on its behalf.

Risk assessment: two distinct frameworks

One of the more technically precise aspects of the EDPB template is its separation of risk assessment into two distinct categories. Section 3 addresses impacts on data subjects that arise from the processing itself - risks that exist even if everything works exactly as designed and all actors follow the rules. Section 4.1.1 then addresses risks arising from non-default, accidental, unlawful, or abnormal events. The template uses different language to distinguish between these two categories carefully.

According to the EDPB, the first category of threats flows mainly from the processed personal data, the very purpose of the processing, and its nature, scope, and context. Even if the processing is correctly implemented and works as specified, there are risks tied to its inherent and structural characteristics: design choices themselves can create risks for data subjects, even where there is no failure or attack. The second category covers situations where something does not go as intended in design, implementation, configuration, or operation, or where malicious actors intervene. Typical risk sources in the second category include software bugs, misconfigurations, wrong access rights, operational errors such as sending data to the wrong recipient or using the wrong dataset, lack of maintenance due to unpatched vulnerabilities or outdated components, insider abuse where staff exceed their authorised use, and external attacks such as phishing and ransomware.

Risk levels in the template follow the standard formula: risk equals likelihood multiplied by severity. The Board recommends qualitative scales, typically running from low to medium to high. Modulating factors - characteristics that increase or decrease the likelihood or severity of a risk without being the primary source of the threat - must also be identified. Aggravating factors listed in the template include a very large number of data subjects, high data sensitivity, data subjects in a situation of dependency or vulnerability such as children, patients, workers, or migrants, and high exposure to external adversaries.

The action plan in section 4.2 requires controllers to document any additional mitigating measures beyond those initially planned, reassess residual risks after those measures are applied, and establish a plan covering the responsible team, timelines, and monitoring arrangements. According to the template, a risk in data protection may be deemed non-acceptable if the potential severity of its impact is very high, even when its likelihood of occurring is low.

Consultation, DPO involvement, and the final decision

Section 5 requires documentation of the Data Protection Officer's advice, conclusions, and recommendations, together with an account of how the controller implemented that advice. Where applicable, section 5.2 calls for the views of data subjects or their representatives, including an explanation of why their participation was or was not considered appropriate.

The template closes with a structured conclusion requiring a formal decision on processing viability. Controllers must choose between four outcomes: abandoning the processing because risks are unacceptable; consulting the supervisory authority before proceeding; proceeding as planned; or conditionally proceeding, meaning the processing design must be modified to better address identified risks before it can begin. The template must be formally approved by a responsible official such as a Managing Director or CEO, and may include a seal and signature.

The public consultation and its context

The adoption of the template on 10 March 2026 initiated a public consultation period. Comments must be submitted by 9 June 2026 using the feedback form provided by the EDPB. The consultation asks respondents to confirm they have removed any personal data whose publication they do not desire - including signatures and metadata - from any submitted feedback.

The timing of the template's arrival is not incidental. According to the EDPB's 2025 annual report, a DPIA template was already due for publication as a concrete output of the commitments made at the Helsinki Summit on Enhanced Clarity, Support, and Engagement. The report also showed that national data protection authorities across Europe issued a combined total of 1,145,760,374 euros in fines during 2025 alone - a figure that underscores the enforcement environment in which this template now arrives.

The Digital Omnibus initiative, meanwhile, proposed centralising DPIA processes at the EU level. The European Commission's proposed GDPR amendments circulated in November 2025 would have the EDPB prepare proposals for processing operation lists requiring assessments, and would additionally have the Board develop common templates and methodologies for conducting assessments - replacing diverse national approaches with unified EU-level frameworks. The EDPB's template can be read as an anticipatory step in that direction, arriving before any legislative mandate requires it.

Reactions from the privacy community

Reaction among data protection professionals was mixed. Rosalia Anna D'Agostino, a privacy and digital law expert, described the adoption as breaking news and noted the document includes useful guidelines on how to practically identify controllers, processors, and sub-processors, as well as the purpose of the processing and the secondary uses that the data collected may be deployed for. Another commenter noted the template is a word document rather than a PDF, a practical point for those planning to use it as a working tool.

The more critical responses focused on structural gaps. Peter Craddock, a data and technology law specialist, published a detailed analysis questioning the template's target audience. According to Craddock, the section on reasons to conduct the DPIA is misleading as it suggests that a DPIA is required even if just one of the Article 29 Working Party's DPIA criteria applies, while the 2017 guidelines actually require two or more criteria to be met before a DPIA is mandatory.

Craddock also noted that the template feels like a non-operational compliance document, pointing in particular to the section on measures supporting compliance with the principles in Article 5(1)(a-f) GDPR, which lists the GDPR's principles without giving any indication of what they mean in practice. The right to rectification and the right to erasure appear together in a single section, despite carrying very different operational requirements. Data protection by design and by default are similarly grouped without accompanying guidance.

Harshvardhan Pandit, a research fellow at the AI Accountability Lab at Trinity College Dublin, flagged in the comments that the mapping of DPIA required conditions across jurisdictions - and across regulatory frameworks such as the GDPR and the AI Act - remains an open research problem. Pandit linked to a paper on impact assessment requirements in the GDPR versus the AI Act, noting overlaps, divergence, and implications as an area of active work.

Why this matters for the marketing and advertising industry

For the marketing community, the DPIA requirement is not an abstract compliance concern. The EDPB's guidelines on the DSA-GDPR interplay, adopted on 11 September 2025, confirmed that Very Large Online Platforms face enhanced risk assessment obligations under Articles 34 and 35 of the Digital Services Act that often mandate Data Protection Impact Assessments under GDPR Article 35. Systemic risk identification is likely to trigger mandatory DPIA requirements whenever processing affects fundamental rights.

Ad tech platforms, data management platforms, identity resolution services, and retail media networks all operate at the scale and sensitivity levels that routinely trigger the DPIA obligation. The combination of high data volumes, profiling operations, cross-border transfers, and sensitive data categories - increasingly including inferred health or financial signals derived from behavioural data - places much of the ad tech supply chain squarely within scope of Article 35 GDPR.

Spain's AEPD, whose work on agentic AI and GDPR compliance PPC Land covered in March 2026, noted that almost any agentic deployment involving special categories of personal data - health information, political opinions, biometric data - or profiling at scale would likely trigger the DPIA obligation. As AI-driven campaign automation becomes standard across major demand-side platforms, the frequency with which advertisers and their technology partners must conduct DPIAs is increasing, not decreasing.

The EDPB's new template now provides at minimum a common baseline that all supervisory authorities across the EU are expected to accept. That is meaningful for organisations operating across multiple jurisdictions that previously had to manage differing national DPIA documentation requirements. Whether the template's current level of specificity is sufficient for operational teams - or whether it will require significant supplementary guidance before it becomes genuinely useful in the field - remains the central question the public consultation will need to resolve.

Timeline

• May 2018 - GDPR enters into force across the European Union, with Article 35 establishing the DPIA obligation for high-risk processing.
• October 2017 - Article 29 Working Party publishes Guidelines on Data Protection Impact Assessment (wp248rev.01), establishing the 9-criteria framework for determining when a DPIA is required.
• September 11, 2025 - EDPB adopts Guidelines 3/2025 on the DSA-GDPR interplay, confirming that DPIA obligations apply when systemic risk identification affects fundamental rights for Very Large Online Platforms.
• November 2025 - European Commission circulates draft GDPR amendments through the Digital Omnibus initiative, proposing centralisation of DPIA template development at the EDPB level. PPC Land coverage.
• February 2026 - Spain's AEPD publishes a 71-page guide on agentic AI and GDPR compliance, identifying DPIA requirements for agentic deployments involving profiling or special categories of personal data. PPC Land coverage.
• 10 March 2026 - EDPB adopts the DPIA template, version 1.0, and opens it for public consultation with a deadline of 9 June 2026.
• 9 April 2026 - EDPB publishes its 2025 Annual Report, documenting 1,145,760,374 euros in GDPR fines during 2025 and confirming the DPIA template as a deliverable from the Helsinki Summit commitments. PPC Land coverage.
• 9 June 2026 - Deadline for submitting public consultation feedback on the EDPB DPIA template.

Summary

Who: The European Data Protection Board, chaired by Anu Talus, adopted the template. The primary audiences are data controllers, processors, and Data Protection Officers operating under the GDPR across EU member states, with particular relevance for organisations processing personal data at scale - including advertising technology platforms, retail media networks, and AI-driven marketing systems.

What: The EDPB published a standardised, structured template for conducting and documenting Data Protection Impact Assessments under Article 35 GDPR. The template covers processing overviews, systematic descriptions of the processing, lawfulness analysis, necessity and proportionality considerations, risk assessment and management, DPO involvement, and a formal conclusion and decision. An accompanying explainer document explains how to complete each section. The template is currently open for public consultation.

When: The template was adopted on 10 March 2026 as version 1.0. The public consultation period runs until 9 June 2026.

Where: The template applies across all EU member states and is designed to be accepted by all 31 national supervisory authorities listed in Annex 1 of the document, including the data protection authorities of Austria, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Latvia, Malta, the Netherlands, Poland, Slovenia, Spain, and Sweden, among others.

Why: The DPIA obligation has existed since GDPR entered into force in May 2018, but no EU-wide standardised template existed until now. Differing national approaches created compliance friction for organisations operating across multiple jurisdictions. The template addresses that gap, and its arrival anticipates the Digital Omnibus proposal to centralise DPIA methodology at the EU level. The 2025 enforcement record - over 1.1 billion euros in GDPR fines - reinforces the practical urgency of getting DPIA processes right.