Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From privacy-impact-assessment-skills
Conducts pre-DPIA threshold screening for GDPR Article 35 using EDPB WP248 nine-criteria test, national supervisory blacklists, and risk appetite to decide if full DPIA required. Outputs documented decision.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-impact-assessment-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-impact-assessment-skills:pia-threshold-screeningThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Article 35(1) GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." This skill provides a structured screening methodology to make that determination before committing to a full DPIA.
Conducts pre-DPIA threshold screening for GDPR Article 35 using EDPB WP248 nine-criteria test, national supervisory blacklists, and risk appetite to decide if full DPIA required. Outputs documented decision.
Triages data processing activities to determine if a PIA or mandatory GDPR DPIA is needed, surfaces privacy policy conflicts, and routes to next steps.
Conduct Privacy Impact Assessments (PIA) to evaluate privacy risks and compliance for data processing activities.
Share bugs, ideas, or general feedback.
Article 35(1) GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." This skill provides a structured screening methodology to make that determination before committing to a full DPIA.
Processing that meets two or more of the following criteria generally requires a DPIA:
| # | Criterion | GDPR Reference |
|---|---|---|
| 1 | Evaluation or scoring | Art. 35(3)(a) |
| 2 | Automated decision-making with legal/similar effect | Art. 35(3)(a) |
| 3 | Systematic monitoring | Art. 35(3)(c) |
| 4 | Sensitive data or data of highly personal nature | Art. 9, Art. 10 |
| 5 | Data processed on a large scale | Recital 91 |
| 6 | Matching or combining datasets | WP248 |
| 7 | Data concerning vulnerable data subjects | WP248 |
| 8 | Innovative use or applying new technological solutions | WP248 |
| 9 | Processing that prevents data subjects from exercising a right | Art. 22, Art. 35(3)(b) |
A DPIA is always required for:
Each EU/EEA supervisory authority publishes a list of processing operations requiring a DPIA. The screening must check the relevant national blacklist based on the controller establishment.
IF any Art. 35(3) mandatory trigger is met → DPIA REQUIRED
ELSE IF processing appears on national SA blacklist → DPIA REQUIRED
ELSE IF 2+ WP248 criteria are met → DPIA REQUIRED
ELSE IF 1 WP248 criterion is met → DPIA RECOMMENDED (risk-based decision)
ELSE → DPIA NOT REQUIRED (document exemption)