Data Protection Impact Assessment (DPIA)
Document ID: REG-005
Document owner: Sebastian Windeck (DPO)
Classification: Confidential
Version: 1.0
Date: March 2026
Next review: March 2027
Framework: GDPR Art. 35 | ISO 27001 (A.5.34) | SOC 2 (P1.1, P3.1)
1. DPIA Requirement Assessment
1.1 Why This DPIA Is Necessary
GDPR Art. 35(3) Criteria
Applicable?
Reasoning
(a) Systematic and extensive evaluation of personal aspects based on automated processing
✅ Yes
Quick-ID performs automated extraction of personal data from government ID documents
(b) Large-scale processing of special category data or criminal offence data
⚠️ Partially
Government ID images contain photographs (biometric-adjacent); processing is transient (in-memory only)
(c) Systematic monitoring of a publicly accessible area on a large scale
❌ No
Not applicable
Conclusion: A DPIA is required due to automated processing of personal data extracted from government identity documents at scale (50+ enterprise customers).
2. Processing Description
2.1 Overview
Field
Detail
Data controller CTW Data Solutions GmbH customers (enterprise API users)
Data processor CTW Data Solutions GmbH
Processing activity Automated OCR and data extraction from government-issued identity documents
Product Quick-ID API and SDK
Legal basis (CTW as processor) Art. 6(1)(f) legitimate interest (processor); Art. 28 data processing agreement with each customer
Legal basis (customer as controller) Determined by each customer (typically Art. 6(1)(b) contract performance or Art. 6(1)(a) consent)
2.2 Data Flow
Customer Application → Quick-ID API → In-Memory Processing → Extracted Data → Customer Application
↓
Government ID image
received via HTTPS/TLS 1.3
↓
OCR + data extraction
(AKS container, in-memory only)
↓
Structured data returned to customer
↓
Image discarded from memory
(no persistence to disk/database)
Exception flow (error images):
Processing error occurs → Customer opts in to error analysis
↓
Error image sent via email to CTW support
↓
Stored in email system (max 7 days)
↓
Automated deletion after 7 days
2.3 Data Categories Processed
Category
Data Elements
Storage
Retention
Government ID image Photograph of passport, national ID card, driver's licence, or residence permit
In-memory only (AKS)
Zero — discarded after processing (seconds)
Extracted personal data Full name, date of birth, document number, nationality, expiry date, MRZ data
Returned to customer via API response
Zero — not stored by CTW
Facial photograph (from ID)Photograph embedded in identity document
In-memory only (AKS)
Zero — discarded after processing
Error images (exception)Failed processing images sent voluntarily by customers for debugging
Email system (Google Workspace)
Max 7 days; automated deletion
API metadata Customer API key, request timestamp, IP address, response status
Application logs (AKS)
30 days rolling
Customer account data Company name, contact person, email, API key
Azure Database for PostgreSQL
Duration of contract + 30 days
2.4 Data Subjects
Category
Approximate Volume
Relationship
End users (individuals whose IDs are processed)Thousands per day (across all customers)
Indirect — CTW processes on behalf of customers
Customer contacts (enterprise API users)~50-100 individuals
Direct — contractual relationship
CTW employees 4-10 individuals
Direct — employment relationship
2.5 Recipients / Transfers
Recipient
Purpose
Legal Basis
Location
Customer (data controller)
API response with extracted data
DPA (Art. 28)
Customer-determined
Microsoft Azure
Cloud infrastructure hosting
DPA (standard contractual clauses)
Germany West Central (Frankfurt); EU regions
GitHub
Source code management (no personal data)
DPA
EU/US (SCCs)
Google Workspace
Email (error images only), internal communication
DPA
EU (data residency)
International transfers: Personal data (ID images) is processed exclusively within the EU (Azure Germany West Central). No transfer to third countries occurs during standard API processing. Error images handled via Google Workspace remain within Google's EU data region.
3. Necessity and Proportionality Assessment
3.1 Necessity
Question
Assessment
Is the processing necessary for the stated purpose?
Yes — document verification requires processing ID images; there is no less intrusive alternative to achieve OCR extraction
Is the data minimised?
Yes — only the document image is submitted; only extracted fields are returned; no data is retained by CTW
Are retention periods limited?
Yes — zero retention for standard processing; 7-day maximum for error images
Is there a valid legal basis?
Yes — CTW acts as processor under Art. 28 DPAs; customers determine their own legal basis as controllers
3.2 Proportionality
Principle
Assessment
Rating
Purpose limitation Data used exclusively for document verification; no secondary use
✅ Proportionate
Data minimisation Only ID image submitted; only structured data returned; no enrichment
✅ Proportionate
Storage limitation Zero retention (in-memory); 7 days max for error images
✅ Proportionate
Accuracy OCR output returned as-is; customer responsible for validation
✅ Proportionate
Integrity & confidentiality TLS 1.3 in transit; encryption at rest; AKS isolation; RBAC
✅ Proportionate
4. Risk Assessment
4.1 Risks to Data Subjects
#
Risk
Likelihood
Severity
Overall
Mitigation
D1
Unauthorised access to ID images during processing
Low
High
🟡 Medium
In-memory only processing; no disk persistence; TLS 1.3; RBAC; MFA
D2
ID image interception in transit
Low
High
🟡 Medium
TLS 1.3 mandatory; HSTS; certificate pinning recommended to customers
D3
Error images exposed via email breach
Low
Medium
🟢 Low
7-day auto-deletion; Google Workspace encryption; access restricted to support staff
D4
API key compromise leading to unauthorised document processing
Medium
High
🟡 Medium
Azure Key Vault; customer-managed rotation recommended; anomaly detection
D5
Insider threat — employee accesses processing data
Low
High
🟡 Medium
No persistent storage; RBAC; audit logging; background checks (formalising Q2 2026)
D6
Cloud provider breach (Azure)
Very Low
Critical
🟡 Medium
Azure SOC 2 Type II certified; encryption at rest; shared responsibility model
D7
Bulk data extraction via compromised API
Low
High
🟡 Medium
Rate limiting; anomaly detection; API key per customer; no data stored to extract
D8
Re-identification from extracted data
N/A
N/A
N/A
CTW does not store extracted data; returned to customer only
4.2 Risk Summary
Risk Level
Count
🔴 High
0
🟡 Medium
6
🟢 Low
1
N/A
1
No high or critical residual risks identified. All medium risks have documented mitigations in place.
5. Measures to Address Risks
5.1 Technical Measures
Measure
Description
Status
In-memory processing ID images are never written to disk or database; processed in AKS container memory and immediately discarded
✅ Implemented
Encryption in transit TLS 1.3 enforced on all API endpoints
✅ Implemented
Encryption at rest AES-256 encryption for all Azure storage (Key Vault managed)
✅ Implemented
Network isolation AKS deployed in Azure VNet with NSGs; no public admin access
✅ Implemented
Access control RBAC with least privilege; MFA (TOTP) on all accounts; admin limited to CEO + CTO
✅ Implemented
Logging & monitoring Azure Monitor; AKS application logs; security alerts
✅ Implemented
Vulnerability management GitHub Advanced Security (GHAS): SAST, secret scanning, Dependabot
✅ Implemented
Error image auto-deletion Automated 7-day deletion of error images from email
✅ Implemented
API rate limiting Per-customer rate limits to prevent bulk extraction attempts
✅ Implemented
5.2 Organisational Measures
Measure
Description
Status
DPAs with all customers Art. 28 compliant data processing agreements with all enterprise customers
✅ In place
DPAs with suppliers Standard DPAs with Azure, GitHub, Google Workspace
✅ In place
Security awareness training Annual training for all staff completed
✅ Completed
Incident Response Plan Documented IRP with escalation matrix and 72h GDPR notification process
✅ In place
GDPR Art. 30 register Processing activities register maintained in Google Drive
✅ In place
Confidentiality agreements Formal NDA process being implemented
🔄 Q2 2026
Background checks Process being formalised
🔄 Q2 2026
5.3 Data Subject Rights
Right
How CTW Supports
Right of access (Art. 15) CTW does not store personal data of end users; customers (as controllers) handle DSRs; CTW assists on request
Right to erasure (Art. 17) No data to erase (in-memory only); error images deleted automatically within 7 days or on request
Right to rectification (Art. 16) Not applicable — CTW does not store data that could be rectified
Right to data portability (Art. 20) Not applicable — CTW does not store personal data
Right to object (Art. 21) End users object to their controller (customer); CTW ceases processing on customer instruction
Right to restrict processing (Art. 18) CTW can disable specific customer API access on request
6. Consultation
6.1 Prior Consultation with Supervisory Authority (Art. 36)
Question
Assessment
Does this processing result in high residual risk after mitigation?
No — all residual risks are Medium or Low
Is prior consultation with BfDI required?
No — Art. 36 consultation is only required when the DPIA indicates processing would result in a high risk that cannot be mitigated
Stakeholder
Input
DPO (Sebastian Windeck)
In-memory-only architecture significantly reduces data protection risk; error image flow is the only persistence concern and is adequately mitigated by 7-day auto-deletion
ISO (Jan Marc Castlunger)
Technical controls are comprehensive; NDA and background check formalisation will further strengthen organisational measures
Chief of AI (Malte Toetzke)
OCR models do not retain or learn from individual document data; model training uses synthetic and licensed datasets only
7. DPIA Conclusion
Assessment
Result
Is the processing necessary and proportionate? ✅ Yes
Are risks to data subjects adequately mitigated? ✅ Yes
Is prior consultation with BfDI required? ❌ No
Can the processing proceed? ✅ Yes — with the identified measures in place
Residual risk assessment: ACCEPTABLE
The in-memory-only processing architecture is the primary safeguard. Since government ID images are never persisted to disk, database, or any long-term storage, the window of exposure is limited to milliseconds of processing time. This, combined with TLS 1.3 encryption, Azure VNet isolation, RBAC, and MFA, reduces the risk to data subjects to an acceptable level.
The error image flow (consent-based, email, 7-day auto-deletion) represents a minor residual risk that is proportionate to the debugging purpose and adequately controlled.
8. Review Schedule
Trigger
Action
Annually (March)
Full DPIA review as part of management review
New processing activity
Re-assess DPIA if Quick-ID adds new data processing features
Significant incident
Re-assess DPIA if a data breach or near-miss occurs
Regulatory change
Re-assess if GDPR guidance or national DPA opinions change requirements
9. Approval
Role
Name
Signature
Date
DPO
Sebastian Windeck
March 2026
ISO
Jan Marc Castlunger
March 2026
This DPIA is maintained as part of the CTW Data Solutions ISMS and is available to the supervisory authority (BfDI) on request.
March 9, 2026
March 9, 2026