← All legal docsCompliance
DPIA / DSFA Template
Data Protection Impact Assessment template under GDPR/DSGVO Article 35
- Brand
- Nidai
- Owner / Inhaber
- Mohamed Essam Mohamed Shafey
- Address / Anschrift
- Frankfurter Allee 281, 10317 Berlin, Germany
- Website
- https://nidai.eu
- Email / E-Mail
- hallo@nidai.eu
- Phone / Telefon
- +49 157 51456670
- Legal form / Rechtsform
- Einzelunternehmen (sole proprietorship, not registered in the commercial register)
- VAT / USt.
- VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
- Tax / Steuer
- Steuernummer pending; USt-IdNr. pending.
When to Use This Template
Use this template before launching or materially changing a processing activity that may create a high risk to individuals. This is especially relevant for Company Knowledge Assistant (Nidai Brain) with sensitive internal data, AI Receptionist in healthcare contexts, recruitment portals, clinic/admin workflows, employee monitoring-like analytics, or large-scale document processing containing sensitive categories.
1. Processing Description
| Question | Answer |
|---|
| Service/project name | [Complete for project/customer] |
| Customer/controller | [Complete for project/customer] |
| Nidai role: controller, processor or joint controller? | [Complete for project/customer] |
| Business purpose | [Complete for project/customer] |
| Detailed workflow | [Complete for project/customer] |
| Systems and sub-processors used | [Complete for project/customer] |
| Hosting location | [Complete for project/customer] |
| Data sources | [Complete for project/customer] |
| AI model providers used | [Complete for project/customer] |
| Human review points | [Complete for project/customer] |
2. Data and Affected Persons
| Category | Details |
|---|
| Data subjects | [Complete] |
| Personal data categories | [Complete] |
| Special categories under Art. 9 GDPR | [Complete] |
| Criminal/offence data under Art. 10 GDPR | [Complete] |
| Employee data | [Complete] |
| Children or vulnerable persons | [Complete] |
| Volume/scale | [Complete] |
| Retention period | [Complete] |
| Deletion method | [Complete] |
3. Necessity and Proportionality
| Check | Assessment |
|---|
| Is the processing necessary for the stated purpose? | [Yes/No + explanation] |
| Can the purpose be achieved with less data? | [Yes/No + explanation] |
| Is AI necessary or can rules/manual review solve it? | [Yes/No + explanation] |
| Is there meaningful human oversight? | [Yes/No + explanation] |
| Are data subjects informed? | [Yes/No + explanation] |
| Can data subjects exercise access/deletion/objection rights? | [Yes/No + explanation] |
| Are outputs explainable/cited where appropriate? | [Yes/No + explanation] |
4. Risk Assessment
| Risk | Likelihood | Severity | Mitigation | Residual risk |
|---|
| Wrong AI extraction/answer causes business or personal harm | [Low/Med/High] | [Low/Med/High] | Human review, confidence flags, citations, audit log | [Assess] |
| Unauthorized access to customer documents | [Assess] | [Assess] | RBAC, RLS, MFA, logging, encryption | [Assess] |
| Sensitive data sent to unsuitable AI provider | [Assess] | [Assess] | Provider review, payload minimization, EU hosting, no consumer AI | [Assess] |
| Data retained longer than needed | [Assess] | [Assess] | Retention schedule, deletion workflow, customer export window | [Assess] |
| Automated decision-making or profiling risk | [Assess] | [Assess] | No solely automated legal/significant decisions; human approval required | [Assess] |
| Employee monitoring / Betriebsrat conflict | [Assess] | [Assess] | Limit analytics, aggregate reporting, customer works council review | [Assess] |
5. Decision
| Decision item | Result |
|---|
| Can the project proceed? | [Complete] |
| Required additional TOMs | [Complete] |
| Required contract clauses | [Complete] |
| Required customer notices | [Complete] |
| Required legal/DSB review | [Complete] |
| Need for prior consultation with authority? | [Complete] |
| Approval owner and date | [Complete] |
| Next review date | [Complete] |
Quick High-Risk Triggers for Nidai
- Patient/health data at scale or clinic workflows.
- Recruitment or HR matching/scoring decisions.
- Employee productivity/behavior monitoring.
- Large-scale RAG over emails containing employee/client data.
- Automated decisions with legal or similarly significant effects.
- Use of biometric, emotion recognition, or sensitive inference features — avoid unless separately reviewed.