Skip to content
All legal docs

Compliance

DPIA / DSFA Template

Data Protection Impact Assessment template under GDPR/DSGVO Article 35

Brand
Nidai
Owner / Inhaber
Mohamed Essam Mohamed Shafey
Address / Anschrift
Frankfurter Allee 281, 10317 Berlin, Germany
Website
https://nidai.eu
Email / E-Mail
hallo@nidai.eu
Phone / Telefon
+49 157 51456670
Legal form / Rechtsform
Einzelunternehmen (sole proprietorship, not registered in the commercial register)
VAT / USt.
VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
Tax / Steuer
Steuernummer pending; USt-IdNr. pending.

When to Use This Template

Use this template before launching or materially changing a processing activity that may create a high risk to individuals. This is especially relevant for Company Knowledge Assistant (Nidai Brain) with sensitive internal data, AI Receptionist in healthcare contexts, recruitment portals, clinic/admin workflows, employee monitoring-like analytics, or large-scale document processing containing sensitive categories.

1. Processing Description

QuestionAnswer
Service/project name[Complete for project/customer]
Customer/controller[Complete for project/customer]
Nidai role: controller, processor or joint controller?[Complete for project/customer]
Business purpose[Complete for project/customer]
Detailed workflow[Complete for project/customer]
Systems and sub-processors used[Complete for project/customer]
Hosting location[Complete for project/customer]
Data sources[Complete for project/customer]
AI model providers used[Complete for project/customer]
Human review points[Complete for project/customer]

2. Data and Affected Persons

CategoryDetails
Data subjects[Complete]
Personal data categories[Complete]
Special categories under Art. 9 GDPR[Complete]
Criminal/offence data under Art. 10 GDPR[Complete]
Employee data[Complete]
Children or vulnerable persons[Complete]
Volume/scale[Complete]
Retention period[Complete]
Deletion method[Complete]

3. Necessity and Proportionality

CheckAssessment
Is the processing necessary for the stated purpose?[Yes/No + explanation]
Can the purpose be achieved with less data?[Yes/No + explanation]
Is AI necessary or can rules/manual review solve it?[Yes/No + explanation]
Is there meaningful human oversight?[Yes/No + explanation]
Are data subjects informed?[Yes/No + explanation]
Can data subjects exercise access/deletion/objection rights?[Yes/No + explanation]
Are outputs explainable/cited where appropriate?[Yes/No + explanation]

4. Risk Assessment

RiskLikelihoodSeverityMitigationResidual risk
Wrong AI extraction/answer causes business or personal harm[Low/Med/High][Low/Med/High]Human review, confidence flags, citations, audit log[Assess]
Unauthorized access to customer documents[Assess][Assess]RBAC, RLS, MFA, logging, encryption[Assess]
Sensitive data sent to unsuitable AI provider[Assess][Assess]Provider review, payload minimization, EU hosting, no consumer AI[Assess]
Data retained longer than needed[Assess][Assess]Retention schedule, deletion workflow, customer export window[Assess]
Automated decision-making or profiling risk[Assess][Assess]No solely automated legal/significant decisions; human approval required[Assess]
Employee monitoring / Betriebsrat conflict[Assess][Assess]Limit analytics, aggregate reporting, customer works council review[Assess]

5. Decision

Decision itemResult
Can the project proceed?[Complete]
Required additional TOMs[Complete]
Required contract clauses[Complete]
Required customer notices[Complete]
Required legal/DSB review[Complete]
Need for prior consultation with authority?[Complete]
Approval owner and date[Complete]
Next review date[Complete]

Quick High-Risk Triggers for Nidai

  • Patient/health data at scale or clinic workflows.
  • Recruitment or HR matching/scoring decisions.
  • Employee productivity/behavior monitoring.
  • Large-scale RAG over emails containing employee/client data.
  • Automated decisions with legal or similarly significant effects.
  • Use of biometric, emotion recognition, or sensitive inference features — avoid unless separately reviewed.