CorelyxCorelyx
Back to homepage

Compliance

DPIA Template

Customer-facing starting point for workflows that process personal data. The customer remains the controller and owns the completed DPIA.

When to complete a DPIA

Complete a DPIA before activating a Corelyx workflow if any of these apply:

  • Special-category data such as health, biometric, political, religious, trade-union, sexual-orientation, genetic, or racial/ethnic-origin data
  • AI Act Annex III domains such as employment, education, credit, insurance, healthcare, critical infrastructure, law enforcement, migration, justice, or public services
  • Large-scale personal-data processing, profiling, or systematic monitoring
  • Automated decisions with legal or similarly significant effects
  • Combining datasets, vulnerable individuals, novel technology, or public-area monitoring

Template sections

1. Workflow identification

Workflow name, Corelyx program ID, controller owner, privacy lead or DPO, assessment date, workflow status, and next review date.

2. Description of processing

Purpose, node-by-node data flow, data subjects, personal-data categories, volume, frequency, and raw-input retention.

3. Necessity and proportionality

Lawful basis under GDPR Article 6, Article 9 condition if special-category data is involved, legitimate-interest balancing where relevant, and data minimization by field.

4. Risks to data subjects

Confidentiality, integrity, availability, fairness/discrimination, cross-border transfer, and residual-risk assessment.

5. AI Act-specific review

Applicable Annex III domain, role of AI in the decision, human oversight, approval-gate configuration, reviewer authority, fallback handling, and deployer registration if required.

6. Data subject rights

How information, access, rectification, erasure, restriction, portability, objection, and human review rights are operationalized for the workflow.

7. Mitigations and sign-off

Document Corelyx safeguards, customer safeguards, residual risk owner, approval decision, review cadence, and suspension criteria.

Corelyx safeguards to consider

  • PII and secret redaction before LLM prompt submission
  • Human approval gates for AI or high-impact workflow steps
  • Execution logging with metadata-only defaults and retention limits
  • Processing restriction flag for GDPR Article 18 requests
  • Data export, deletion, and audit trails for accountability
DPIA Template | Corelyx