Add GDPR DPIA assessment questions migration

[thabofletcher]

Summary

Adds a database migration to seed GDPR DPIA (Data Protection Impact Assessment) questions organized by Article 35 requirement groups:

1. Processing Description - Nature, scope, context, purposes, data categories, data subjects, retention
2. Necessity and Proportionality - Lawful basis, necessity justification, data minimization
3. Risk Assessment - Risks to rights/freedoms, likelihood/severity, special categories
4. Risk Mitigation Measures - Technical measures, organizational measures, risk-to-measure mapping
5. Data Subject Rights - Information provision (Arts 13/14), rights exercise mechanisms
6. Third-Party Sharing - Recipients, international transfers
7. Consultation - Data subject consultation, prior consultation with supervisory authority

Each question includes:

• fides_sources mapping to Fides data model fields for auto-population
• expected_coverage indicating how much can be derived from system data
• Guidance text for manual completion

Test plan

• Run migration: alembic upgrade head
• Verify questions are seeded for the gdpr_dpia template
• Generate a DPIA assessment and confirm questions appear correctly grouped

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 11, 2026 5:07am
fides-privacy-center	Ignored		Feb 11, 2026 5:07am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a database migration that seeds 23 GDPR DPIA (Data Protection Impact Assessment) questions organized into 7 Article 35 requirement groups:

• Processing Description - 4 questions covering nature, data categories, data subjects, retention
• Necessity and Proportionality - 3 questions on lawful basis and data minimization
• Risk Assessment - 3 questions on rights/freedoms risks and special categories
• Risk Mitigation Measures - 3 questions on technical and organizational safeguards
• Data Subject Rights - 2 questions on transparency and rights mechanisms
• Third-Party Sharing - 2 questions on recipients and international transfers
• Consultation - 2 questions on data subject and supervisory authority consultation

Each question includes fides_sources mappings to Fides data model fields for auto-population and expected_coverage indicators. The migration includes proper safeguards (checks if template exists, checks if questions already seeded) and a downgrade function to remove the questions.

Confidence Score: 4/5

• This PR is safe to merge with minor concerns about revision ID consistency
• The migration is well-structured with proper safeguards (existence checks, idempotency), comprehensive GDPR DPIA question coverage, and a complete downgrade function. However, the down_revision comment in the docstring (b2c3d4e5f6g7) doesn't match the actual value in the code (f85bd4c08401), which could cause confusion but won't affect migration execution
• The migration file has a minor inconsistency in the revision comment that should be corrected

Important Files Changed

Filename	Overview
src/fides/api/alembic/migrations/versions/xx_2026_02_10_1200_c3d4e5f6g7h8_add_gdpr_dpia_questions.py	Database migration seeds 23 GDPR DPIA questions across 7 requirement groups with proper safeguards and downgrade support

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Docstring comment says Revises: b2c3d4e5f6g7 but line 17 has down_revision = "f85bd4c08401". Update docstring for consistency.

Suggested change

	Revises: b2c3d4e5f6g7
	Revises: f85bd4c08401

[erosselli]

Approving with some comments

[erosselli]

Suggested change

	pr: 7356
	pr: 7356
	labels: ["db-migration"]

[erosselli]

see greptile's comment

[erosselli]

will these ever change? would we want to use them elsewhere in the codebase, or are they truly only going to be used as part of this migration?