DPIA Screening Checklist - Easylab AI SARL

Document ID: ELAB-DPIA-2026-001

Version: DRAFT v0.1

Date: March 2026

Author: [TO BE CONFIRMED]

Approved by: [TO BE CONFIRMED]

1. Purpose

This checklist determines whether a Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR before launching a new project, product, feature, or service that involves the processing of personal data.

Under Article 35(1) GDPR, a DPIA is mandatory when processing is "likely to result in a high risk to the rights and freedoms of natural persons." The EDPB Working Party 29 Guidelines (WP 248 rev.01) identify nine criteria to assess this risk. As a general rule, if two or more criteria are met, a DPIA is required.

2. When to Use This Checklist

This checklist must be completed before any of the following:

Launching a new product or service that processes personal data
Adding a new feature that changes the nature, scope, context, or purpose of existing processing
Onboarding a new sub-processor that handles personal data differently
Deploying AI/ML models on personal data
Entering a new market or jurisdiction
Significant changes to data flows or storage architecture

The completed checklist must be retained as evidence of compliance, regardless of whether a full DPIA is subsequently required.

3. Project Identification

Project / Service Name
Project Owner
Date of Screening
Brief Description of Processing
Categories of Data Subjects
Categories of Personal Data
Legal Basis (Art. 6 GDPR)

4. WP 248 Screening Criteria

For each criterion below, check the box if it applies to the planned processing. Answer honestly -- underestimating risk exposes the company to regulatory sanctions.

1 Evaluation or Scoring

Does the processing involve evaluating or scoring individuals, including profiling and predicting?

Easylab examples:

EasyBlood: Health Score calculated from blood test results -- direct evaluation of an individual's health status
LinkedInScope: Analysis and scoring of LinkedIn profiles for recruitment suitability
Any AI-generated "quality score", "risk score", or "recommendation" based on personal data

Yes, this criterion applies

2 Automated Decision-Making with Legal or Similarly Significant Effect

Does the processing involve automated decision-making that produces legal effects or similarly significant effects on individuals?

Easylab examples:

Automated rejection/acceptance of candidates based on AI-generated profile analysis
Health recommendations that could influence medical decisions (EasyBlood)
Any system output that directly determines access to a service, contract, or benefit without meaningful human review

Yes, this criterion applies

3 Systematic Monitoring

Does the processing involve systematic monitoring of individuals, including observation of publicly accessible areas?

Easylab examples:

Session recording or heatmap tools on SaaS platforms (Hotjar, FullStory, etc.)
Continuous monitoring of user behavior/activity within a platform
Scraping or systematic collection of publicly available LinkedIn data
Audio recording of meetings (EasyBoard, EasyFund)

Yes, this criterion applies

4 Sensitive Data or Data of a Highly Personal Nature

Does the processing involve special categories of data (Art. 9 GDPR), criminal conviction data (Art. 10), or other highly personal data (location, financial, communications)?

Easylab examples:

EasyBlood: Health data (blood test results, health scores) -- special category under Art. 9
EasyBoard / EasyFund: Audio recordings of meetings may contain opinions, political views, or other sensitive content
Any processing of biometric data, genetic data, racial/ethnic origin, trade union membership
Financial data discussed in board meetings (EasyBoard)

Yes, this criterion applies

5 Data Processed on a Large Scale

Is the processing carried out on a large scale, considering the number of data subjects, volume of data, duration/permanence, and geographical extent?

Easylab examples:

A SaaS platform with thousands of end users across multiple organizations
Processing of all employees' data within a client organization
Linkeme platform if scaled to many users

Note: At current Easylab scale (early-stage, limited client base), most processing is unlikely to qualify as "large scale." This criterion should be re-evaluated as the business grows.

Yes, this criterion applies

6 Matching or Combining Datasets

Does the processing involve matching or combining datasets from different sources in a way that exceeds the reasonable expectations of the data subject?

Easylab examples:

LinkedInScope: Combining publicly scraped LinkedIn data with client's internal HR data
Enriching user profiles by cross-referencing multiple data sources
Merging meeting transcripts with CRM data or other business systems
RAG (Retrieval-Augmented Generation) systems that combine personal data from multiple document sources

Yes, this criterion applies

7 Data Concerning Vulnerable Data Subjects

Does the processing concern vulnerable individuals who may be unable to easily consent to or oppose the processing?

Easylab examples:

EasyBlood: Patients or individuals undergoing health assessments -- inherent power imbalance with healthcare providers
LinkedInScope: Job seekers or candidates in recruitment processes -- power imbalance with potential employers
Employees whose data is processed by their employer via Easylab tools
Children or elderly persons (if any Easylab service targets these groups)

Yes, this criterion applies

8 Innovative Use of Technology or Organizational Solutions

Does the processing involve the use of new or innovative technologies, including AI, machine learning, or other emerging technologies?

Easylab examples:

All Easylab products: Use of generative AI (LLMs such as Claude, GPT) to process personal data
EasyBoard / EasyFund: AI-assisted transcription and summarization of meetings
EasyBlood: AI-driven health analysis from lab results
EasyClaw / OpenClaw: Autonomous AI agents with system access
RAG systems, vector databases (Qdrant), semantic search on personal data

Note: As of 2026, generative AI is still considered "innovative technology" by most DPAs. This criterion applies to virtually all Easylab AI-powered services.

Yes, this criterion applies

9 Processing That Prevents Data Subjects from Exercising a Right or Using a Service or Contract

Does the processing prevent individuals from exercising a right, or using a service or a contract?

Easylab examples:

Credit scoring or eligibility checks that block access to financial services
Automated screening that prevents a candidate from progressing in a recruitment process
Mandatory data processing where refusal would deny access to an essential service

Note: This criterion is less likely to apply to current Easylab services, which are primarily B2B tools. However, it should be assessed if any service gates access based on personal data processing.

Yes, this criterion applies

5. Screening Result

Total criteria checked

_____ / 9

0-1 Criteria Met: DPIA Not Mandatory

A full DPIA is not legally required. However, conducting a DPIA is recommended if criterion 8 (innovative technology) is met, even alone. The EDPB emphasizes that the use of AI on personal data warrants careful assessment regardless of the formal threshold.

Retain this completed checklist as evidence of your assessment.

2 or More Criteria Met: DPIA IS MANDATORY

A Data Protection Impact Assessment must be completed before the processing begins (Art. 35(1) GDPR). Processing must not start until the DPIA is completed and, if necessary, mitigating measures have been implemented.

If the DPIA concludes that residual risk remains high despite mitigations, the supervisory authority (CNPD in Luxembourg) must be consulted under Article 36 GDPR before proceeding.

Decision	DPIA Required / Not Required (circle one)
Assessed by
Date
Reviewed by

6. Simplified DPIA Template

If the screening above indicates that a DPIA is required, use the following structure. For complex or high-risk processing, consider engaging external legal counsel or a qualified DPO.

Section A: Description of the Processing

Describe: nature, scope, context, and purposes of the processing. Include data flows, technologies used, data categories, data subjects, retention periods, and sub-processors involved.

Section B: Necessity and Proportionality

Assess: legal basis (Art. 6, Art. 9 if applicable), purpose limitation, data minimization, data quality, storage limitation, information to data subjects (Art. 13/14), right to object, data portability, lawfulness of international transfers.

Section C: Risks to the Rights and Freedoms of Data Subjects

Identify and rate risks by likelihood (unlikely / possible / likely) and severity (limited / significant / maximum). Consider: illegitimate access, unwanted modification, data loss, re-identification, discrimination, financial loss, reputational damage, loss of autonomy.

Section D: Measures to Address Risks

For each risk identified, document: the mitigating measure, its effect on likelihood/severity, the responsible person, and the implementation deadline. Include both technical measures (encryption, access controls, pseudonymization, logging) and organizational measures (policies, training, audits, incident response).

Section E: Conclusion and Approval

State whether residual risk is acceptable. If residual risk remains high, document the decision to consult the CNPD (Art. 36). Obtain sign-off from the project owner and, if appointed, the Data Protection Officer.

Luxembourg-specific: Check the CNPD's published list of processing operations requiring a DPIA (Art. 35(4) list). Some operations may be mandatory regardless of the WP 248 criteria count. See: cnpd.public.lu

7. Pre-Assessed Easylab Products

The following assessments are indicative and based on current product scope as of March 2026. They must be reviewed when product features change.

EasyBlood

#	Criterion	Applies?	Rationale
1	Evaluation or scoring	YES	Health Score calculated from blood test results
2	Automated decision-making	Possible	Health recommendations could influence medical decisions; depends on implementation
3	Systematic monitoring	No	One-time or periodic analysis, not continuous monitoring
4	Sensitive data	YES	Health data (Art. 9 GDPR special category)
5	Large scale	No	Currently limited user base
6	Matching datasets	No	Single data source (lab results)
7	Vulnerable data subjects	Possible	Patients may be considered vulnerable depending on context
8	Innovative technology	YES	Generative AI (LLM) used for health data analysis
9	Blocking a right/service	No	Not applicable

Result: 3 criteria met (minimum) -- DPIA MANDATORY

LinkedInScope

#	Criterion	Applies?	Rationale
1	Evaluation or scoring	YES	AI-based profiling and scoring of LinkedIn profiles
2	Automated decision-making	Possible	Depends on whether output is used for hiring decisions without human review
3	Systematic monitoring	Possible	Systematic collection from public profiles could qualify
4	Sensitive data	Possible	LinkedIn profiles may reveal religion, ethnicity, political opinions indirectly
5	Large scale	No	Currently limited usage
6	Matching datasets	Possible	If combined with internal HR data
7	Vulnerable data subjects	Possible	Job seekers are in a power imbalance with recruiters
8	Innovative technology	YES	Generative AI used for profile analysis
9	Blocking a right/service	Possible	If used to filter out candidates from recruitment process

Result: 2 criteria met (minimum) -- DPIA MANDATORY

EasyBoard / EasyFund

#	Criterion	Applies?	Rationale
1	Evaluation or scoring	No	Transcription and summarization, not scoring individuals
2	Automated decision-making	No	Output is informational (minutes), not decision-making
3	Systematic monitoring	Possible	Audio recording of meetings could qualify depending on scope
4	Sensitive data	YES	Meeting audio may contain sensitive opinions, financial data, strategic discussions
5	Large scale	No	Currently limited client base
6	Matching datasets	No	Single data source per processing operation
7	Vulnerable data subjects	No	Board members and executives are not typically considered vulnerable
8	Innovative technology	YES	Generative AI (LLM) + speech-to-text for meeting transcription
9	Blocking a right/service	No	Not applicable

Result: 2 criteria met (minimum) -- DPIA MANDATORY

Easylab.ai Website (Corporate Site)

#	Criterion	Applies?	Rationale
1	Evaluation or scoring	No	Static website, no profiling
2	Automated decision-making	No	No automated decisions
3	Systematic monitoring	No	Standard analytics only (if any)
4	Sensitive data	No	Contact form data only
5	Large scale	No	Small website
6	Matching datasets	No	No dataset combination
7	Vulnerable data subjects	No	General public, B2B visitors
8	Innovative technology	No	Standard website technology
9	Blocking a right/service	No	Not applicable

Result: 0 criteria met -- DPIA not mandatory

8. References

GDPR Article 35 -- Data Protection Impact Assessment
GDPR Article 36 -- Prior Consultation
EDPB (formerly WP29) Guidelines WP 248 rev.01 on DPIAs (04.10.2017, revised 04.04.2018)
CNPD (Luxembourg) -- List of processing operations requiring a DPIA (Art. 35(4))
EU AI Act (Regulation 2024/1689) -- for AI-specific risk assessments

DRAFT DOCUMENT -- v0.1 -- March 2026
This document is a working draft pending legal review. It should not be relied upon as a definitive compliance document.
Easylab AI SARL | 55, allée de la Poudrerie, L-1899 Roeser, Luxembourg