GDPR - ARTICLE 35 - DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Your DPIA compliant
with the CNIL method

The GDPR requires a Data Protection Impact Assessment for any processing likely to result in a high risk to the rights and freedoms of individuals. SYAGA DPIA-Express structures and documents your DPIA according to the Article 35 methodology and the EDPB guidelines, without improvisation and without jargon.

35
GDPR article (DPIA)
9
EDPB criteria (WP248 rev.01)
3
Cases of obligation (art. 35.3)
4
Method components (art. 35.7 a-d)

The obligation

Determine whether your processing must undergo a DPIA, then conduct it by the book

GDPR Article 35 requires a DPIA

Any processing likely to result in a high risk to the rights and freedoms of natural persons must undergo a Data Protection Impact Assessment before its implementation (GDPR, art. 35).

📋

The CNIL "2 out of 9 criteria" rule

The EDPB (formerly the Article 29 Working Party, WP29), in its guidelines WP248 rev.01, defined 9 high-risk criteria. As soon as a processing operation meets at least two of these criteria, a DPIA must in principle be carried out: a single misjudged criterion, and the file is incomplete.

🔍

CNIL lists to check article by article

The CNIL (the French data protection authority) publishes lists of processing operations for which a DPIA is required or not required. Determining precisely where your processing falls requires a rigorous reading, not a general impression.

Without method, the risk is twofold

Conducting a DPIA too hastily exposes you to incompleteness before a supervisory authority; not conducting one when required exposes the organisation to a breach of Article 35. The CNIL method structures this decision and documents it.

The method: DPIA-Express

The structure required by Article 35.7 of the GDPR, applied to your processing, with a reasoned conclusion at every step

1
Determining the obligation

Is your processing really subject to a DPIA?

Analysis against the 3 cases of Article 35.3, the EDPB's 9-criteria grid (WP248 rev.01), and the CNIL lists of required and non-required processing. Reasoned conclusion, whether the DPIA is ultimately mandatory or not.

2
Art. 35.7.a

Systematic description of the processing

Purposes, categories of data and data subjects, recipients, retention periods: the complete mapping required by Article 35.7.a, consistent with your record of processing activities (art. 30).

3
Art. 35.7.b

Necessity and proportionality

Verification that each piece of data collected is necessary for the purpose pursued, that the legal basis (art. 6) is identified for each processing operation, and that the data minimisation principle (art. 5.1.c) is respected.

4
Art. 35.7.c

Assessment of risks to individuals

For each identified risk: severity, likelihood, measures already in place, residual risk, presented as a table usable by your management or your DPO.

5
Art. 35.7.d and 5.2

Measures and documented conclusion

Technical and organisational measures envisaged (art. 32), reasoned conclusion and documented justification under the accountability principle (art. 5.2), ready for use in the event of a CNIL inspection.

What you receive

A structured, sourced document, honest about what still needs validation by your lawyer or your DPO

📝

Structured DPIA report

The complete document following Article 35.7 (a to d), with a reasoned conclusion.

  • Systematic description of the processing
  • Necessity and proportionality analysis
  • Risk table (severity/likelihood/measures)
  • Conclusion and documented justification (art. 5.2)

Determination grid

The preliminary analysis that decides whether your processing falls within the scope of the obligation.

  • The 3 cases of Article 35.3
  • The 9 EDPB criteria (WP248 rev.01)
  • Comparison against the CNIL lists
  • Reasoned and sourced conclusion
📁

Consistency with the Article 30 record

The DPIA relies on the same foundation as your record of processing activities.

  • Purposes and legal bases
  • Categories of data and data subjects
  • Recipients and processors
  • Retention periods by category
🚩

Points for your lawyer/DPO to validate

Every point of uncertainty is explicitly flagged, never decided on your behalf.

  • Controller / processor qualification
  • Legal bases by purpose
  • Identified transfers outside the EU
  • Appointment of a DPO (art. 37), where applicable
🔗

Sources and traceability

Every legal statement is sourced, not stated from memory.

  • Consolidated GDPR text (CELEX 32016R0679)
  • CNIL pages and lists (DPIA, record)
  • EDPB guidelines (WP248 rev.01)
  • Verifiable URLs cited in the document
📄

Editable document

Delivered in an editable format, reusable by your DPO or your lawyer.

  • Structure compliant with Article 35.7
  • Reusable for your future processing operations
  • Ready to be completed before final validation
  • No fixed formatting imposed

References used

A method based on texts and authorities, not on in-house interpretations

35

GDPR - Article 35

Data protection impact assessment. Consolidated text of Regulation (EU) 2016/679 (EUR-Lex, CELEX 32016R0679).

EDPB

Guidelines WP248 rev.01

The EDPB's (formerly Article 29 Working Party) 9 high-risk criteria, adopted by the CNIL as the reference method for determining the DPIA obligation.

CNIL

CNIL lists and method

Lists of processing operations for which a DPIA is required or not required, and the CNIL method for conducting an impact assessment.

30

GDPR - Article 30

Record of processing activities: the consistency foundation (purposes, data, retention periods) on which every DPIA relies.

A tailored DPIA, with no hidden pricing

The scope depends on the number of processing operations, their complexity, and what is already documented on your side. Quote established after an initial discussion.

Determining the obligation

You don't know whether your processing is concerned

Quote on request
depending on the number of processing operations to analyse
  • EDPB 9-criteria grid
  • Comparison against Article 35.3
  • Verification of the CNIL lists
  • Reasoned and sourced conclusion
Request a quote

Multi-year programme

Several at-risk processing operations to cover

Quote on request
depending on the number of processing operations and review cadence
  • Everything in Full DPIA +
  • Common methodological framework
  • Periodic review (art. 35.11)
  • Consistency maintained with the record (art. 30)
Request a quote

A DPIA is never set in stone

Article 35.11 of the GDPR requires the analysis to be reviewed in the event of a significant change to the processing (new processor, hosting change, extension of the collection scope). A review quote is established on a case-by-case basis.

Frequently asked questions

Is my processing really subject to the DPIA obligation?
This depends on three elements checked methodically: the 3 cases of Article 35.3 of the GDPR, the EDPB's 9-criteria grid (guidelines WP248 rev.01, adopted by the CNIL: as soon as 2 out of 9 criteria are met, a DPIA must in principle be carried out), and the CNIL lists of required and non-required processing. The delivered document settles this question and justifies it, point by point.
What exactly does the delivered document contain?
A document structured according to Article 35.7 of the GDPR: systematic description of the processing (a), necessity and proportionality analysis (b), assessment of risks to data subjects (c), envisaged technical and organisational measures (d), then a reasoned conclusion. Every legal reference is sourced (consolidated GDPR text, CNIL, EDPB).
What if my processing turns out not to be subject to the DPIA obligation?
The document is kept on a voluntary, documentary basis: it constitutes the justification for your decision not to conduct a formal DPIA, under the accountability principle (art. 5.2 of the GDPR), ready for use in the event of a CNIL inspection.
Does this document replace the opinion of my lawyer or DPO?
No. DPIA-Express is a methodological support tool that structures and documents the analysis; it does not constitute legal advice. Every document delivered explicitly lists the points that still need to be validated by your lawyer or your Data Protection Officer before any binding use.
Who must carry out the DPIA within my organisation?
The controller remains legally responsible for the DPIA; the DPO, where one exists, must be consulted (art. 35.2 of the GDPR). DPIA-Express prepares the material (description, risks, measures) so that this consultation takes place on an already structured file, not a blank page.
Why go through SYAGA rather than doing it entirely in-house?
SYAGA Consulting has existed since 2009 and applies this same method to its own processing operations, including its own Microsoft 365 audit product, whose DPIA obligation analysis follows exactly this structure. We do not deliver a generic template: every document is built processing by processing, article by article.

Ready to document your DPIA?

Describe your processing to us, and we'll get back to you with a tailored quote.