EDPB DPIA Template: Critical CIPP/E Reading

The DPIA trigger has not moved. The DPIA form is about to. That single sentence holds the CIPP/E exam reading of the new EDPB DPIA template. It is the distinction the exam will keep testing while the consultation runs. Article 35 still names three statutory triggers; the harmonised form changes what a DPIA looks like when filed, not when one must be done. For CIPP/E candidates, the new template raises a documentation question, not a trigger question. Treat it that way and the scenarios become easier to read.

What the EDPB published, and the consultation timetable

On 14 April 2026 the EDPB opened a public consultation on a harmonised DPIA template. The version 1.0 text was adopted on 10 March 2026 through written procedure and is accompanied by an explanatory document that walks each section. The consultation closes on 9 June 2026.

The Board has been explicit about the post-consultation outcome. After 9 June the template will be finalised. Every national supervisory authority will then adopt it as their unique template, or as a "meta-template" with which national templates must align. For the CIPP/E candidate that single sentence captures the whole exam reading. Documentation is converging across the EU; the substantive triggers in Article 35 are not.

The Article 35 triggers the exam still tests

Article 35 sits in the GDPR's accountability chapter, and the CIPP/E exam tests three statutory triggers that the new template does not touch. The first is high-risk processing. In practice it maps to the criteria the Article 29 Working Party set out in WP248, which the EDPB has endorsed. The second is large-scale processing of special category data. The third is large-scale systematic monitoring of publicly accessible areas. None of these has changed.

National DPAs add to that list. Most have published "blacklists" of operations always requiring a DPIA and "whitelists" of operations that do not. The harmonised template does not displace these lists. A scenario that hinges on a national whitelist still needs to be read against the relevant DPA, not against the EU-level template. Candidates who confuse "template adopted" with "trigger harmonised" will lose marks on that distinction.

Where DPIA, FRIA and TIA meet on the same AI system

This is the live exam pressure point. Three different documents can apply to the same high-risk AI processing personal data. A DPIA under Article 35 covers the data protection risks. A Fundamental Rights Impact Assessment under Article 27 of the AI Act covers the wider Charter rights. A Transfer Impact Assessment covers third-country transfer risk. The exam expects the candidate to recognise which obligation each document carries; it does not expect the candidate to merge them.

Article 27(4) lets a deployer who has already done a DPIA carry it across into the FRIA, but the scopes are not identical. The DPIA is a controller obligation under the GDPR. The FRIA is a deployer obligation under the AI Act. The TIA is a transfer-mechanism obligation under Chapter V. Practitioner-grade reading of the FRIA's interaction with Article 35 helps candidates see how those documents stack in real organisations.

Three traps the EDPB DPIA template makes more tempting

The first trap is "template adopted means DPIA mandatory." It does not. The template changes the form; the trigger logic in Article 35 still decides when the form is filled.

The second is the Article 36 prior consultation duty. Where residual risk remains high after a DPIA, the controller still has to consult the supervisory authority. The harmonised template does not change that obligation; if anything, the structured fields make residual risk easier to spot. Candidates should expect a scenario where a polished template hides an unconsulted residual risk.

The third is the national-level read. The EDPB DPIA template is an EU instrument. National blacklists and whitelists remain authoritative inside their jurisdictions. A cross-border processing scenario can pull both into the answer. Future Prep's coverage of algorithmic management at scale and the missing high-risk guidance gap both show how national and EU expectations can diverge in practice.

Reading the EDPB DPIA template on exam day

The cleanest scenario walk on exam day is short. Identify the trigger first; never let the template colour that read. Confirm whether national blacklist or whitelist applies. If an AI system is involved, ask whether the FRIA also applies and whether the controller can carry the DPIA across into it. If a transfer is in scope, isolate the TIA from the DPIA. Last, ask whether residual risk requires Article 36 prior consultation.

The exam does not reward elegance; it rewards order. Knowing where the EDPB DPIA template sits in that order is the difference between a fast scenario answer and a slow one.

For CIPP/E candidates building this layered read, the CIPP/E exam prep suite at 22academy.com/study walks the Article 35 and Article 36 chain.