The GDPR requires a Data Protection Impact Assessment for any processing likely to result in a high risk to the rights and freedoms of individuals. SYAGA DPIA-Express structures and documents your DPIA according to the Article 35 methodology and the EDPB guidelines, without improvisation and without jargon.
Determine whether your processing must undergo a DPIA, then conduct it by the book
Any processing likely to result in a high risk to the rights and freedoms of natural persons must undergo a Data Protection Impact Assessment before its implementation (GDPR, art. 35).
The EDPB (formerly the Article 29 Working Party, WP29), in its guidelines WP248 rev.01, defined 9 high-risk criteria. As soon as a processing operation meets at least two of these criteria, a DPIA must in principle be carried out: a single misjudged criterion, and the file is incomplete.
The CNIL (the French data protection authority) publishes lists of processing operations for which a DPIA is required or not required. Determining precisely where your processing falls requires a rigorous reading, not a general impression.
Conducting a DPIA too hastily exposes you to incompleteness before a supervisory authority; not conducting one when required exposes the organisation to a breach of Article 35. The CNIL method structures this decision and documents it.
The structure required by Article 35.7 of the GDPR, applied to your processing, with a reasoned conclusion at every step
Analysis against the 3 cases of Article 35.3, the EDPB's 9-criteria grid (WP248 rev.01), and the CNIL lists of required and non-required processing. Reasoned conclusion, whether the DPIA is ultimately mandatory or not.
Purposes, categories of data and data subjects, recipients, retention periods: the complete mapping required by Article 35.7.a, consistent with your record of processing activities (art. 30).
Verification that each piece of data collected is necessary for the purpose pursued, that the legal basis (art. 6) is identified for each processing operation, and that the data minimisation principle (art. 5.1.c) is respected.
For each identified risk: severity, likelihood, measures already in place, residual risk, presented as a table usable by your management or your DPO.
Technical and organisational measures envisaged (art. 32), reasoned conclusion and documented justification under the accountability principle (art. 5.2), ready for use in the event of a CNIL inspection.
A structured, sourced document, honest about what still needs validation by your lawyer or your DPO
The complete document following Article 35.7 (a to d), with a reasoned conclusion.
The preliminary analysis that decides whether your processing falls within the scope of the obligation.
The DPIA relies on the same foundation as your record of processing activities.
Every point of uncertainty is explicitly flagged, never decided on your behalf.
Every legal statement is sourced, not stated from memory.
Delivered in an editable format, reusable by your DPO or your lawyer.
A method based on texts and authorities, not on in-house interpretations
Data protection impact assessment. Consolidated text of Regulation (EU) 2016/679 (EUR-Lex, CELEX 32016R0679).
The EDPB's (formerly Article 29 Working Party) 9 high-risk criteria, adopted by the CNIL as the reference method for determining the DPIA obligation.
Lists of processing operations for which a DPIA is required or not required, and the CNIL method for conducting an impact assessment.
Record of processing activities: the consistency foundation (purposes, data, retention periods) on which every DPIA relies.
The scope depends on the number of processing operations, their complexity, and what is already documented on your side. Quote established after an initial discussion.
You don't know whether your processing is concerned
Processing identified as high risk
Several at-risk processing operations to cover
A DPIA is never set in stone
Article 35.11 of the GDPR requires the analysis to be reviewed in the event of a significant change to the processing (new processor, hosting change, extension of the collection scope). A review quote is established on a case-by-case basis.
Describe your processing to us, and we'll get back to you with a tailored quote.