For the purposes of Article 27 of the Data Protection Regulations, a data protection impact assessment must contain at least:

(A) a systematic description of the envisaged Processing operations and the purposes of the Processing, including:
(i) identification and consideration of the lawful basis for the Processing as set out in Article 10 of the Regulations;
(ii) if the Processing is necessary for the purposes of the legitimate interests of the Data Controller or another Person in accordance with Article 10(1)(F) of the Regulations, the reasoning according to which the Data Controller believes that the rights or legitimate interests of the Data Subject do not override its interests or those of the other Person; and
(iii) if Processing is based on consent:
(a) confirmation that consent will be or has been validly obtained;
(b) the impact of the withdrawal of consent to that Processing; and
(c) how the Data Controller will ensure that it can comply with any exercise by the Data Subject of their right to withdraw consent;
(B) an assessment as to how the Processing operations are adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Data are Processed;
(C) an assessment of the risks to the rights and legitimate interests of Data Subjects; and
(D) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data and to demonstrate compliance with the Regulations, taking into account the rights and legitimate interests of Data Subjects and other persons concerned.