DPIA: Data Protection Impact Assessments for EUDI Wallet Implementations

A Data Protection Impact Assessment (DPIA) is a structured process mandated by Article 35 of the General Data Protection Regulation (GDPR) that requires data controllers to systematically analyze, identify, and minimize the data protection risks of a proposed processing activity before it begins. For the EUDI Wallet ecosystem, DPIAs are not optional -- they are a legal prerequisite for deploying any component that processes personal identity data at scale. The DPIA process ensures that privacy risks are identified early, mitigation measures are designed into the system (privacy by design), and the residual risks are documented and accepted with full transparency.

A DPIA for EUDI Wallet services follows a structured methodology, typically comprising four main phases:

Phase 1 -- Processing description: Detailed documentation of what personal data is processed, how it flows through the system, who has access, how long it is retained, and what the legal basis for processing is. For an EUDI Wallet provider, this includes describing credential storage, presentation flows, transaction logging, backup mechanisms, and any analytics or telemetry collected.

Phase 2 -- Necessity and proportionality assessment: Evaluation of whether the processing is necessary for the stated purpose and whether less privacy-invasive alternatives exist. For example, does the wallet need to log every credential presentation, or can privacy-preserving aggregated statistics suffice? Is full credential data stored in backups, or only the minimum metadata needed for re-issuance?

Phase 3 -- Risk identification and assessment: Systematic identification of risks to data subjects including unauthorized access, data breaches, excessive collection, profiling, discrimination, and loss of control. Each risk is assessed for likelihood and severity. EUDI-specific risks include cross-service correlation (verifiers colluding to track users), over-collection by relying parties, and the concentration of identity data creating high-value attack targets.

Phase 4 -- Risk mitigation: For each identified risk, the DPIA documents mitigation measures. These include technical measures (encryption, selective disclosure, pseudonymization, device binding), organizational measures (access controls, staff training, audit procedures), and legal measures (data processing agreements, purpose limitation clauses). Residual risks that cannot be fully mitigated are documented, and if they remain high, the Data Protection Authority must be consulted before processing begins.

• •Cross-service tracking: If multiple relying parties share a common user identifier, they could correlate user activities across services, building complete profiles. DPIAs address this by requiring pseudonymous identifiers that differ per relying party.
• •Issuer-side transaction tracking: If issuers are notified each time a credential is presented, they learn detailed information about user behavior. DPIAs evaluate whether the architecture minimizes issuer involvement in presentation flows (the EUDI architecture ensures issuers are not contacted during presentation).
• •Wallet provider surveillance: The wallet provider could potentially monitor all credential operations. DPIAs ensure the wallet architecture minimizes data visible to the provider, with credentials stored locally and presentations handled device-to-verifier without routing through the provider.
• •Biometric data risks: If biometric authentication data (fingerprints, face recognition) is processed, the DPIA must assess the elevated risks of biometric data breach and ensure biometric templates are stored only in the device secure element, never transmitted externally.