EDPB‑Aligned Language for DPIAs: Precision Phrasing and Article 35 Trigger Wording (DPIA)

Step 1 — Establish the legal purpose and structure

A Data Protection Impact Assessment (DPIA) is a legally prescribed process under the General Data Protection Regulation (GDPR) that identifies and mitigates risks to the rights and freedoms of natural persons arising from processing personal data. The DPIA’s primary objective is not merely documentation but reasoned decision-making: it requires controllers to systematically assess whether planned or existing processing operations create a high risk to data subjects and, where appropriate, to identify measures to mitigate those risks. The European Data Protection Board (EDPB) provides authoritative guidance on DPIAs: it clarifies when a DPIA is required, what substantive elements should be considered, and how supervisory authorities expect DPIAs to be documented. EDPB guidance emphasizes clarity, proportionality, and evidence-based reasoning.

In practice, many DPIAs are judged first by a short, decisive statement that establishes whether Article 35 GDPR is triggered — that is, whether a DPIA is legally required. This decisive statement is what we call an “Article 35 trigger wording (DPIA).” Because supervisory authorities and auditors often read DPIAs at scale, this trigger wording must be concise, EDPB-aligned, and legally precise. It should enable a reader to understand, in a few lines, why the processing crosses the threshold of a likely high risk and why the DPIA therefore was necessary.

A formulaic structure helps produce such statements consistently. Use the following template components in sequence: [Processing description] + [Scope & scale] + [Likely high risk(s) to rights/freedoms] + [Why other mitigations are insufficient] + [Conclusion: DPIA required]. Each element has a role:

• Processing description: a short, neutral description of the operation (what is processed, how, and by whom).
• Scope & scale: objective indicators that make the processing large-scale, systemic, or otherwise significant (numbers, duration, geographic reach, categories of data subjects).
• Likely high risks: concrete risks to rights and freedoms (e.g., decision-making affecting legal status, discrimination, loss of confidentiality, physical harm) stated in the language EDPB uses (‘‘high risk’’; ‘‘likelihood/severity’’).
• Why other mitigations are insufficient: explicit reasons other safeguards do not adequately reduce risk to an acceptable level (e.g., safeguards are untested, residual risk remains high despite encryption, lack of opt-out, inability to achieve purpose without profiling).
• Conclusion: a tight, affirmative sentence citing the legal basis for the DPIA requirement (e.g., Art. 35(1) GDPR). This conclusion may also point to EDPB guidance as supporting authority.

Composing a trigger statement with these five parts ensures the statement is defensible, aligned with EDPB expectations, and tailored to supervisory review.

Step 2 — Model structure and deconstruction of trigger statements

When constructing an Article 35 trigger wording (DPIA), writers should prioritize precision in verb choice and the selection of facts that demonstrate high risk. The EDPB frequently expects language that connects processing features directly to recognized categories of risk. For example, EDPB DPIA guidance emphasizes profiling, large-scale processing, systematic monitoring, and special categories of data as typical triggers. In drafting, make sure each phrase maps to a recognisable EDPB element: e.g., ‘‘profiling leading to automated decision-making’’ links to risk of affecting legal status or significant effects, while ‘‘systematic monitoring in a public space’’ aligns with the EDPB’s examples of surveillance.

In decomposition, examine each part of your trigger statement and ask: does this clause supply an evidentiary fact (scope/scale), express a concrete likely harm (rights/freedoms), or explain why mitigation was insufficient? Precision matters. Substitute vague qualifiers like ‘‘may’’ with measured terms such as ‘‘is likely to’’ or ‘‘creates a high risk of’’ only where supported by analysis. Keep the tense and modality consistent: a trigger statement concludes that a DPIA is required (present tense, affirmative) because of identified attributes of the processing and the inadequacy of mitigations.

Always anchor trigger wording to the legal text and EDPB guidance. Cite Article 35(1) GDPR when concluding a DPIA is required; cite Article 35(3) when explaining factors that make processing likely to result in high risk (e.g., systematic monitoring, large-scale processing, special categories). Where useful, include an EDPB reference (for instance, EDPB Guidelines on Data Protection Impact Assessments — originally WP248 and later adopted by the EDPB) to show alignment with supervisory interpretation. If landmark case law directly addresses a similar fact pattern, reference it succinctly to demonstrate awareness of enforcement precedent and interpretive context. Use citations sparingly but precisely; citations support rather than replace factual description.

Step 3 — Contrast with Article 32 security and legitimate interest language; integrate enforcement-aware phrasing

It is crucial to distinguish Article 35 trigger wording from other common GDPR statement types, especially Article 32 security measure descriptions and legitimate interest balancing-test language. Each serves a different legal purpose and therefore requires different tone, content, and rhetorical posture.

Article 32 statements are technical and control-focused. They describe concrete measures implemented or planned to achieve an adequate level of security (e.g., encryption, access controls, logging, resilience measures). The language is affirmative and implementation-oriented: ‘‘We have implemented AES‑256 encryption at rest and TLS 1.2+ in transit; access to the dataset is limited through role-based access controls and multifactor authentication.’’ The focus is on operational specifics, timelines, and verification — not on high-risk legal thresholds. A DPIA trigger should never conflate these descriptions with the question of whether a DPIA is required. Instead, a trigger statement can note that security measures exist but must then explain why these measures do not by themselves eliminate the likelihood of high risk (e.g., residual risk from discriminatory automated decision-making remains).

Legitimate interest balancing-test language has a distinct structure: identification of the legitimate interest, necessity test, and proportionality/impact mitigation analysis. Tone here is more analytic and normative: one weighs interests, explains why processing is necessary, and documents mitigations. By contrast, Article 35 trigger wording is diagnostic and threshold-focused; it states that, because of specific processing characteristics and residual risk, a DPIA is legally required under Article 35. Avoid the balancing-test’s ‘‘weighing’’ rhetoric in trigger wording; use it separately in the legitimate interest documentation.

Enforcement-aware phrasing changes the closing posture of a DPIA. Supervisory authorities expect DPIAs to be defensible, factual, and to signal an appropriate readiness to remediate. Recommended enforcement-aware closing sentences include short, assertive formulations that link findings to expected supervisory practices and possible remedial measures. For example, after concluding a DPIA is required, follow with a sentence that references the supervisory authority’s expectations: ‘‘Given the high risk identified and the limited efficacy of available mitigations, the controller will: (i) consult the supervisory authority under Art. 36 GDPR if residual high risk persists; (ii) implement the remedial measures set out in Section X; and (iii) document the decision-making record to enable regulatory review.’’ Such phrasing shows awareness of procedural duties (consultation under Art. 36), signals willingness to engage with enforcement, and lists concrete remedial pathways.

Use a restrained, professional tone when addressing enforcement: avoid defensive language (e.g., ‘‘we believe’’ or ‘‘it is unlikely’’) in the trigger conclusion. Instead, opt for precise, evidence-based statements that make clear the conclusion rests on identifiable facts and legal criteria.

Step 4 — Practical drafting orientation and checklist for EDPB alignment

When preparing to write an Article 35 trigger wording (DPIA), orient your drafting to the EDPB’s priorities: clarity, proportionality, and demonstrable reasoning. Begin by compiling the key factual building blocks: exact categories of data, the processing operations, the scale and duration, numbers of data subjects, and the technology or methods used (profiling algorithms, biometric scanners, continuous sensors). These facts populate the ‘‘Processing description’’ and ‘‘Scope & scale’’ clauses of the formulaic template and serve as the evidentiary backbone of the trigger statement.

Next, translate those facts into likely harms: what rights or freedoms could be affected? Use the EDPB’s language when possible (e.g., ‘‘risk of discrimination’’, ‘‘risk of significant effects on individuals’ legal status’’, ‘‘risk to confidentiality leading to potential financial or reputational harm’’). Then evaluate mitigations objectively: are they untested, partial, or dependent on user choices that will not be broadly exercised? Document why mitigation does not reduce the risk below the high‑risk threshold.

Finally, conclude with an authoritative sentence invoking Article 35(1) and, where relevant, Article 35(3). Consider adding a parenthetical EDPB citation to show alignment with supervisory expectations. Keep the final line affirmative: the DPIA is required. Avoid hedging language there; reserve nuance for explanatory paragraphs elsewhere in the DPIA.

Use the following checklist to ensure EDPB alignment and enforceability:

• Does the trigger statement use the formulaic structure: Processing description + Scope & scale + Likely high risk(s) + Why mitigations insufficient + Conclusion (DPIA required)?
• Are factual assertions precise and verifiable (numbers, technologies, categories of data subjects)?
• Does the statement use EDPB‑consistent terminology for risks and triggers (profiling, large-scale processing, systematic monitoring, special categories)?
• Are legal citations accurate and minimal (e.g., Art. 35(1), Art. 35(3); EDPB DPIA guidance reference) and placed to support, not substitute, factual claims?
• Is the tone appropriate: decisive in the conclusion, descriptive and evidence-based in the supporting clauses, technical in Article 32 descriptions (kept separate), and analytic in legitimate interest tests (kept separate)?
• Does the wording include enforcement-aware language where appropriate (reference to Art. 36 consultation, planned remedial measures, documentation for supervisory review) without appearing defensive?
• Is the overall phrasing concise enough for quick supervisory review while leaving room in the DPIA body for detailed analysis and mitigations?

Adhering to this structured approach produces Article 35 trigger wording (DPIA) that is sharp, EDPB-aligned, and defensible in enforcement contexts. The formulaic template and checklist help writers produce consistent, legally grounded trigger statements that supervisors can quickly assess and that controllers can rely on as part of a documented risk-management process.