gdpr-pialisted

Data Protection Impact Assessment (DPIA / GEB) workflow against AVG Art 35 — trigger check (AP criteria and WP 248), systematic description, necessity, risk analysis from the data subject's perspective, measures and residual risk, prior consultation with the Autoriteit Persoonsgegevens.
roodlicht/accans-sec-skills · ★ 4 · AI & Automation · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# AVG / GDPR Data Protection Impact Assessment > **Disclaimer**: this is not legal advice. A DPIA is a legally sensitive document that exposes the organization to AP supervision and potentially civil claims. This skill structures the analysis; final qualifications (lawful basis, proportionality balancing, residual-risk acceptance) belong with the FG/DPO and/or privacy counsel. ## When to use Art 35 AVG requires a Data Protection Impact Assessment (DPIA, in NL also "gegevensbeschermingseffectbeoordeling" or GEB) for processing operations posing a high risk to data subjects. This skill helps with the trigger check, drafting, and prior consultation of the AP when the residual risk remains high. Triggers on: - A question like "do we need a DPIA for this", "is this processing high-risk under the AVG", "help me draft a DPIA", "how do we do prior consultation with the AP", "DPIA template". - A new or substantially changed processing of personal data: new SaaS introduction, AI/ML application that profiles, camera systems, biometrics, health data, large-scale data, employee monitoring, or processing in countries without an adequacy decision. - A handoff from `risk-register` when privacy risk is part of it, or from `vendor-questionnaire` when a processor newly comes into scope. - An FG/DPO question during supervisory or audit preparation. ### When NOT (handoff) - Breach notifications (Art 33/34 AVG) → `ir-runbook` with a separate AP reporting procedure. DPIA is preventive, breac