Example One – DPIA
Pursuant to Article 35(3)(a) GDPR, a Data Protection Impact Assessment is required for this processing activity as it involves a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing.
The controller relies on legitimate interests under Article 6(1)(f) as the lawful basis. A legitimate interests assessment has been conducted in accordance with Recital 47, which confirms that the processing of personal data strictly necessary for the purposes of preventing customer attrition constitutes a legitimate interest of the controller.
Risk to data subjects is assessed as Medium. This assessment is consistent with the EDPB’s guidance in Opinion 4/2024 on AI-driven profiling, which establishes a three-tier risk framework for commercial profiling activities and indicates that churn prediction, where it does not affect access to essential services, falls within the medium-risk tier.
Based on the assessed risk, the processing is approved and has been entered in the Record of Processing Activities under Article 30(1). The Data Protection Officer was consulted in line with Article 39(1)(c). Residual risk is considered acceptable and prior consultation with the supervisory authority under Article 36 is therefore not required.
Example 2 – DPA
The Acme Inc DPA satisfies the requirements of Article 28(3) GDPR. All mandatory clauses are present, including subject matter and duration of processing (Clause 2.1), nature and purpose (Clause 2.2), type of personal data and categories of data subjects (Schedule 1), and the obligations and rights of the controller (Clause 4).
The Processor commits to processing personal data only on documented instructions from the Controller in accordance with Article 28(3)(a), and to ensuring that persons authorised to process the personal data are bound by confidentiality obligations (Article 28(3)(b)). Sub-processor engagement is governed by Clause 9, which requires 30 days’ prior written notice and a right of objection, as per Article 28(2).
International transfers are addressed in Clause 12. The Processor relies on the EU–US Safe Harbor Framework and, as a backup mechanism, the 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor). A Transfer Impact Assessment has been conducted by the Processor and is available on request. This arrangement is considered adequate in light of the Schrems II judgment and subsequent EDPB Recommendations 01/2020 on supplementary measures.
The Processor’s security measures are set out in Annex II and align with ISO 27001 and SOC 2 Type II certifications. The Processor commits to notifying the controller of a personal data breach without undue delay and in any event within 72 hours, mirroring the controller’s own obligation under Article 33.
Recommendation: Approve for signature. Residual risk is low. No material deviations from GDPR Article 28 requirements were identified.
Example 3 – DSAR
Dear Ms Smith,
Thank you for your data subject access request received on 2 April 2026. We are writing to respond within the one-month period prescribed by Article 12(3) GDPR.
We have carried out a search of our systems and can confirm that we process the following categories of your personal data: contact details, account history, correspondence with our customer service team, and marketing preferences. Copies of the relevant records are enclosed at Annex A.
You have also requested information about the automated decision-making mechanism we conducted ithat underpinned your bank account being automatically closed due to fraudulent activity. We can confirm that no decisions concerning you have been taken on the basis of automated processing within the meaning of Article 22 GDPR. This is because it is the responsibility of your bank to conduct a review prior to taking any action capable of causing a legal effect.
Certain information has been withheld under the exemption in Article 15(4) GDPR, which provides that the right to obtain a copy shall not adversely affect the rights and freedoms of others. Specifically, internal correspondence between members of staff discussing your account has been withheld on the basis staff members may be embarassed.
If you are dissatisfied with this response, you have the right to lodge a complaint with the Information Commissioner’s Office or to seek a judicial remedy under Article 79 GDPR.
Your Sincerely,
DPO
