Startege Logo
Free · Runs locally · Markdown export
GDPR Article 35 · WP29 / EDPB aligned

A DPIA scaffold built for AI processing.

Six guided steps produce an eight-section Markdown document ready for DPO review: controller context, legal basis, data scope, AI specifics, necessity, and the risk register.

Six steps · Eight sections · Downloadable Markdown

Output preview

Eight DPIA sections, ready for review

  1. 01Controller and accountability
  2. 02Processing description
  3. 03Data subjects + categories
  4. 04AI / automated decision-making
  5. 05Necessity + proportionality
  6. 06Risk assessment
  7. 07Consultation
  8. 08Sign-off
Markdown · ~3KB Client-side
Standard
GDPR Art. 35
Structured around WP29 / EDPB DPIA guidance + AI Act overlap.
Privacy
100% client-side
All inputs stay in your browser. Markdown is generated locally.
Output
Reviewer-ready
Eight sections, placeholders for team judgement, sign-off block.
Step 1 · Controller context

What's being assessed?

Capture the project, the controller, and anyone you share controllership or processing with. These header fields anchor the rest of the document.

If no DPO is appointed, name the accountable privacy lead.

FAQ

Common questions

What the tool does, how it relates to the AI Act, and where its boundaries are.

Is the generated DPIA legally valid?

No, this is a scaffold, not a final DPIA. It produces a structured skeleton aligned to GDPR Art. 35 and WP29 / EDPB guidance, but the substantive content still needs to be written, reviewed by your DPO, and signed off by the controller.

When is a DPIA mandatory under GDPR?

Article 35(1) requires a DPIA where the processing is likely to result in a high risk to the rights and freedoms of natural persons. Article 35(3) lists three mandatory triggers: systematic and extensive automated decision-making with significant effect, large-scale processing of special category / criminal data, and systematic monitoring of publicly accessible areas. National supervisory authorities also publish lists of operations requiring a DPIA.

How does the AI Act change DPIA practice?

High-risk AI systems under the AI Act (Annex III + Annex I) require a parallel risk-management process under Art. 9 of the AI Act and technical documentation under Annex IV. A DPIA does not replace those, but the analyses should reference each other so reviewers can see the full picture in one place.

Does this tool send my data anywhere?

No. Everything runs entirely in your browser: answers are kept in component state, the Markdown is generated locally, and nothing is transmitted, logged, or stored on a server.

What does the export contain?

An eight-section Markdown document covering controller and accountability, processing description, data subjects + categories, AI / automated decision-making, necessity and proportionality, risk assessment, consultation, and sign-off. Placeholders mark every spot where team-specific judgment is still required.

Not legal advice. The DPIA scaffold is an educational starting point aligned to GDPR Art. 35 and WP248 rev.01. Final DPIAs require DPO review and, where residual risk remains high, prior consultation with the competent supervisory authority under Art. 36.
DPIA Scaffold Generator: Free Tool | Startege