Join waitlist
Resources · DPIA template

A DPIA template that survives a Datatilsynet audit.

Eight sections, twenty-four fields, a risk matrix and three signature blocks. Filled in for face-recognition processing under Article 35 — and pre-populated with what Ansikt does, so you only need to add what's specific to you.

Article GDPR Art. 35
Aligned with Datatilsynet template
Length 14 pages · DOCX
Last reviewed March 2026
Download · DPIA-template-v3.docx PDF preview — Free · no email required · CC-BY 4.0
Preview

The whole template, on one page.

What you'd see if you opened the file. Every section has a fillable field, a worked example, and a note on which Article it satisfies.

Data Protection Impact Assessment · Photo archive recognition

DPIA-2026-001 · Draft
i.

Project overview

State the processing in plain language. Who, where, what is being indexed, and what changes once Ansikt is in place. Keep it under one page; an auditor reads this section first.

Project name DSAR readiness · marketing photo archive
Controller Acme A/S, CVR 12 34 56 78
Processor Ansikt ApS · CVR 44 55 66 77 · Copenhagen
Sources in scope List drives, websites, intranets, S3 buckets…
Data subjects employees · former employees · event attendees
ii.

Necessity & proportionality

Why face recognition rather than a less invasive method. Article 5(1)(c) — data minimisation — requires you to consider alternatives and document why they were rejected.

Less-invasive alternatives considered filename search · manual review · captioning · skipping the request
Why rejected Document the failure mode of each alternative…
Volume of data ~ 280,000 images across 4 systems
iii.

Lawful basis

Biometric data identifying a natural person is a special category under Article 9. Standard Article 6 grounds are insufficient on their own — you need an Article 9(2) condition as well.

Article 6 basis 6(1)(c) legal obligation — answering DSARs under Art. 15
Article 9(2) condition 9(2)(b) employment law · or 9(2)(g) substantial public interest
Cited national law Databeskyttelsesloven § 7, stk. 1
iv.

Data flows

Each hop, with protocol and jurisdiction. The architecture diagram on /security can be used verbatim. Tell the auditor what is stored, where, and for how long.

Image storage remains at source · no copies in Ansikt
Vector storage Hetzner · Frankfurt · AES-256 · per-tenant key
Audit log 12-month default · customer-configurable
Sub-processors Hetzner · Scaleway · Postmark EU · Plausible (EEA)
Cross-border transfers none · 100% EU/EEA
v.

Risks to data subjects

The five risks Datatilsynet specifically asks about, with default ratings for an Ansikt deployment. Adjust to your context; a risk register that says "all low" gets an audit flag of its own.

#
Risk
Likelihood
Severity
Residual
R-01
Misidentification of a data subject
medium
medium
low
R-02
Unauthorised internal access
low
high
low
R-03
Indefinite retention of vectors
medium
medium
low
R-04
Function creep into surveillance
low
high
low
R-05
Subject unable to exercise rights
medium
high
low
vi.

Mitigations

The control mapping. Each risk above must reference at least one mitigation here. Prefer technical controls; document organisational ones too.

R-01 · misidentification Confidence threshold ≥ 0.92 for auto-confirm · 0.78–0.91 routed to human review · all matches reviewable in subject portal
R-02 · unauthorised access SSO · SCIM · MFA · just-in-time elevation · per-tenant encryption keys
R-03 · indefinite retention Vectors retained while indexed · automatic deletion on source removal · 24-hour erasure SLA on subject request
R-04 · function creep Contractual prohibition in DPA · scope limited to controller-owned sources · no open-internet indexing
R-05 · subject rights Subject portal · signed PDF export · plain-language privacy notice · published DPO contact
vii.

Consultation

Article 35(9) requires you to seek the views of data subjects "where appropriate." Document who you consulted, what you heard, and what you changed.

DPO opinion Attach the written opinion under Art. 39…
Works council / staff representatives Date of meeting · summary · objections raised…
Prior consultation with Datatilsynet required if residual risk is high · Art. 36
viii.

Sign-off

Three signatures, three dates. Without all three, the DPIA is a draft. Re-review on a fixed schedule and whenever the processing materially changes.

Controller
Name · title · date
Data Protection Officer
Name · date · opinion ref.
Senior management
Name · title · date
Use it · don't pay for it

Free, CC-BY-licensed, ours by mistake.

Download · DOCX