LIVE · v1.9 STABLE
BUILD 2026.05.27
ART. 35
AGPL-3.0 · 8 EVAL CASES · 72 ASSERTIONS

IMPACT
ASSESSMENT
by THRESHOLD
FIRST.

Decides whether a DPIA is required, then runs it end to end. EDPB nine-criteria threshold, multi-jurisdictional SA blacklists, two-track risk model, calibrated 5×5 scoring, Art. 36 consultation check, and EDPB template generation — one guided workflow under Art. 35.

GDPR ART. 35   ·   GDPR ART. 36   ·   GDPR ART. 35(3)   ·   GDPR ART. 35(4)   ·   EDPB WP 248 REV.01   ·   EDPB DPIA TEMPLATE v1.0   ·   EDPB OPINION 28/2024   ·   EDPB GUIDELINES 01/2025   ·   DSK   ·   CNIL   ·   DPC   ·   APD   ·   GDPR ART. 35   ·   GDPR ART. 36   ·   GDPR ART. 35(3)   ·   GDPR ART. 35(4)   ·   EDPB WP 248 REV.01   ·   EDPB DPIA TEMPLATE v1.0   ·   EDPB OPINION 28/2024   ·   EDPB GUIDELINES 01/2025   ·   DSK   ·   CNIL   ·   DPC   ·   APD
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
NINE-CRITERIA THRESHOLD
EDPB WP 248 rev.01 nine-criteria test plus the three absolute Art. 35(3) triggers. The two-criteria rule is handled as a presumption, not a mandate.
02
JURISDICTION BLACKLISTS
Art. 35(4) national lists across DE/FR/IE/BE and more. Lists are additive and territorial: a single processing activity is checked against every applicable Member State list.
03
TWO-TRACK RISK MODEL
Track A inherent-by-design risks and Track B operational risks, both scored from the data subject's perspective under Recital 75.
04
CALIBRATED SCORING
5×5 likelihood × severity matrix with aggravating and mitigating modulating factors. Genuine pseudonymisation lowers likelihood; trivial re-identification does not.
05
ART. 36 CONSULTATION
Sequential prior-consultation check on residual risk. Four-outcome verdict: APPROVED, CONDITIONALLY APPROVED, CONSULT SA, REJECTED.
06
TEMPLATE GENERATION
Audit-ready .docx via template population (unpack → fill → repack): official EDPB 2026 format or custom 12-section report.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Twelve structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Disclaimer & routing
Non-blocking disclaimer. Determine the need: threshold question, full DPIA, document generation, or specific legal question. Load references accordingly.
02
Jurisdiction selection
Ask where the controller is established and where data subjects are located. Load all relevant national list files for multi-jurisdictional processing.
03
Threshold assessment
Run Art. 35(3) absolute triggers, the nine-criteria analysis, and the national blacklist check. Verdict: Required / Recommended / Not Required.
04
Processing description
Systematic description of the processing per Art. 35(7)(a).
05
Asset inventory
Collect risk-relevant assets — hardware, software, APIs/models, personnel, sites, organisational. Group by module or technical layer (EDPB Section 1.3).
06
Necessity gate
Upstream test: is the processing effective and least intrusive?
07
Proportionality gate
Upstream test: do the benefits justify the impacts on data subjects?
08
Inherent risk scoring
Track A by-design and Track B operational risks. 5×5 likelihood × severity plus modulating factors.
09
Mitigation
Technical, organisational, and legal measures with implementation status: Planned / Partially Implemented / Implemented.
10
Residual risk
Recompute after mitigation. Overall verdict across the four outcomes.
11
Art. 36 check
If residual risk stays high after all feasible mitigations, prior consultation with the SA is required before processing begins (8 weeks, extendable by 6).
12
Documentation
Generate the chosen .docx format. Assessment is iterative — if mitigations change the design, revisit earlier analysis and flag it.
§ 03 · MODES

TWO PATHS.
One OUTCOME.

Match the workflow to the situation. The skill router picks automatically; you can override.

EDPB 2026
Populate the official EDPB DPIA Template v1.0 (Sections 0–6). Harmonised EU format recognised by all SAs.
CUSTOM 12-SECTION
Populate the custom report template: threshold analysis, jurisdictional blacklist detail, risk heat maps, and annexes.
§ 04 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof. 

dpia-sentinel/
├── evals  # Test cases + assertions
│   └── evals.json  # 8 cases, 72 assertions
├── references  # Reference corpus
│   ├── jurisdictions
│   │   ├── be-apd.md
│   │   ├── de-dsk.md
│   │   ├── fr-cnil.md
│   │   ├── ie-dpc.md
│   │   ├── it-garante.md
│   │   ├── nl-ap.md
│   │   ├── pl-uodo.md
│   │   └── whitelists.md
│   ├── dpia-custom-population.md
│   ├── dpia-custom-template-v1.docx
│   ├── edpb-2026-custom-template-v1.docx
│   ├── edpb-2026-explainer.md
│   ├── edpb-2026-population.md
│   ├── edpb-2026-template-v1.docx
│   ├── edpb-2026-template.md
│   ├── edpb-criteria.md
│   ├── risk-catalog.md
│   ├── scoring.md
│   ├── sources.md
│   └── templates.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 05 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire dpia-sentinel/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r dpia-sentinel/ \
   ~/.claude/skills/user/
§ 06 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Threshold verdict
Clear DPIA Required / Recommended / Not Required ruling with the Art. 35(3) check, nine-criteria analysis, and national list reasoning shown.
Risk register
Table with Risk ID, Track (A/B), description, rights category, likelihood, severity, score, modulating factors, and adjusted level.
Residual risk overview
Risks by level before and after additional mitigation, plus the overall verdict: APPROVED / CONDITIONALLY APPROVED / CONSULT SA / REJECTED.
EDPB 2026 DPIA report (.docx)
Official harmonised EU template, Sections 0–6, recognised by all EU supervisory authorities.
Custom DPIA report (.docx)
12-section assessment with threshold analysis, jurisdictional detail, risk heat maps, and annexes.
Art. 36 consultation package
Submission package for SA prior consultation when residual high risk remains.
§ 07 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

08
Test Cases
72
Assertions
100%
Coverage Required
01
Mall operator headquartered in Munich
10 ASSERTS
02
We're a German company with 1,200 employees
9 ASSERTS
03
We're a German fintech, controller, main establishment in Frankfurt
9 ASSERTS
04
We're a Berlin hospital, controller
9 ASSERTS
05
We're a French SME (controller, Lyon) doing standard HR processing for 80 employ...
8 ASSERTS
06
Academic research project at a German university
9 ASSERTS
07
We're a German staffing agency (controller)
10 ASSERTS
08
Marketing analytics: we collect website behavioural data (no logins, no fingerpr...
8 ASSERTS
§ 08 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

GDPR Article 35
Data Protection Impact Assessment obligation and Art. 35(3) absolute triggers.
GDPR Article 36
Prior consultation with the supervisory authority on residual high risk.
EDPB DPIA Template v1.0 (March 2026)
Harmonised EU-wide DPIA structure (Sections 0–6).
EDPB Guidelines WP 248 rev.01
DPIA methodology and the nine criteria.
EDPB Opinion 28/2024
Dual-phase DPIA for AI processing (training vs. deployment).
EDPB Guidelines 01/2025
Pseudonymisation as a likelihood-reducing risk control.
§ 09 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every threshold verdict, blacklist hit, and risk score traces back to a cited EDPB guideline or national SA list.
VERIFIED
Reproducible decisions.
Pin a build; recreate the threshold and risk assessment years later for audit or supervisory defence.
IMMUTABLE
Threshold before scoring.
Art. 35(3) triggers and the nine-criteria gate run before any risk register or document is produced.
ENFORCED
**
EU-native.
Built around DSK/CNIL/DPC/APD Art. 35(4) lists and the EDPB template — not a retrofitted generic checklist.
NATIVE
§ 10 · README.MD

DPIA Sentinel — Deployment Guide

Overview

GDPR Data Protection Impact Assessment Sentinel — a structured DPIA guidance skill for Claude that provides:

  • Threshold assessment against Art. 35(3) mandatory triggers and EDPB nine-criteria analysis
  • Multi-jurisdictional blacklist/whitelist checks across 7 EU Member States (DE, FR, IE, BE, NL, IT, PL)
  • EDPB 2026 DPIA Template support — generate documents in the official harmonised EU format (Sections 0–6)
  • Two-track risk model — inherent-by-design risks (Track A) and operational risks (Track B) per EDPB methodology
  • 5×5 risk assessment with modulating factors, from the data subject's perspective
  • Implementation status tracking for all measures (Planned / Partially Implemented / Implemented)
  • Necessity and proportionality as separate upstream assessment gates
  • Asset inventory for risk-relevant processing infrastructure
  • Art. 36 prior consultation decision support with four-outcome verdict
  • AI dual-phase analysis per EDPB Opinion 28/2024 (training vs. deployment)
  • Audit-ready .docx document generation via template population (EDPB 2026 format, custom 12-section report, threshold memo, executive summary, Art. 36 package)

File Structure

dpia-skill/
├── SKILL.md                              # Main skill instructions (deploy this)
├── CHANGELOG.md                          # Version history
└── references/
    ├── edpb-criteria.md                  # EDPB nine criteria + multi-jurisdictional framework
    ├── edpb-2026-template.md             # EDPB 2026 DPIA template field-by-field spec
    ├── edpb-2026-template-v1.docx        # Official EDPB template .docx (populatable)
    ├── edpb-2026-population.md           # Table-by-table population guide for the template
    ├── edpb-2026-explainer.md            # EDPB 2026 methodology reference
    ├── dpia-custom-template-v1.docx      # Custom 12-section DPIA template .docx (populatable)
    ├── dpia-custom-population.md         # Population guide for custom template
    ├── scoring.md                        # 5×5 risk scoring + modulating factors + two tracks
    ├── risk-catalog.md                   # Common DPIA risks by processing type (Track A+B)
    ├── templates.md                      # Document templates (5 formats)
    ├── sources.md                        # Regulatory source references
    └── jurisdictions/
        ├── de-dsk.md                     # Germany — DSK blacklist
        ├── fr-cnil.md                    # France — CNIL blacklist
        ├── ie-dpc.md                     # Ireland — DPC blacklist
        ├── be-apd.md                     # Belgium — APD blacklist
        ├── nl-ap.md                      # Netherlands — AP blacklist
        ├── it-garante.md                 # Italy — Garante blacklist
        ├── pl-uodo.md                    # Poland — UODO blacklist
        └── whitelists.md                 # FR, CZ, ES, AT whitelist exemptions

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire dpia-skill/ folder structure
  3. The skill will auto-trigger when you mention DPIA, DSFA, Art. 35, or describe high-risk processing

Claude Code / Custom MCP Setup

  1. Copy the dpia-skill/ folder to your skills directory: bash cp -r dpia-skill/ /path/to/your/skills/user/dpia-skill/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Just describe your processing activity:

"We're planning to deploy an AI system that scores job applicants based on their CVs and video interviews. The system will be used across Germany, France, and the Netherlands. Do we need a DPIA?"

The skill will activate and guide you through the assessment.

Trigger Phrases

  • "Do I need a DPIA?" / "DSFA" / "Datenschutz-Folgenabschaetzung"
  • "Art. 35" / "impact assessment" / "high-risk processing"
  • "We want to deploy AI for..." / "profiling" / "large-scale monitoring"
  • "Generate a DPIA report"

Assessment Flow

Phase Description
Threshold Art. 35(3) triggers + nine-criteria analysis + national blacklist checks
Description Systematic processing description per Art. 35(7)(a)
Asset Inventory Risk-relevant assets grouped by type (EDPB 2026, Section 1.3)
Necessity Effectiveness + least-intrusive test (upstream gate)
Proportionality Benefits vs. impact balancing (upstream gate)
Inherent Risks Track A (by-design) + Track B (operational), 5×5 matrix + modulating factors
Mitigation Technical, organizational, and legal measures with implementation status
Residual Risk Overall verdict: APPROVED / CONDITIONALLY APPROVED / CONSULT SA / REJECTED
Documentation Audit-ready .docx generation (EDPB 2026 or custom format)

Document Types

Template Description
EDPB 2026 DPIA Report Official harmonised format (Sections 0–6, recognized by all EU SAs)
Full DPIA Report (custom) Custom 12-section assessment with threshold analysis + annexes
Threshold Justification Memo 2-3 page document explaining why a DPIA is NOT required
Executive Summary 1-2 page board/leadership summary
Art. 36 Consultation Package Submission package for SA prior consultation

Regulatory Basis

Document Reference
GDPR Article 35 DPIA obligation
GDPR Article 36 Prior consultation
EDPB DPIA Template v1.0 (March 2026) Harmonised EU-wide DPIA structure
EDPB Guidelines WP 248 rev.01 DPIA methodology and nine criteria
EDPB Opinion 28/2024 DPIA for AI processing
EDPB Guidelines 01/2025 Pseudonymisation as risk reducer
National SA Art. 35(4) lists Mandatory DPIA blacklists (7 jurisdictions)

Version History

See CHANGELOG.md for full version history.

License & Disclaimer

This skill provides structured guidance based on publicly available GDPR regulatory materials. It does not constitute legal advice. All DPIA decisions should involve your DPO (Art. 35(2)) and qualified legal counsel.

Created by Oliver Schmidt-Prietz — OneZero Legal