Does every AI chatbot require a data protection impact assessment (DPIA)?

Not for every bot, but more often than SMEs expect. A mandatory DPIA under Art. 35 DSGVO is required where processing is "likely to result in a high risk" to the rights and freedoms of individuals. This is regularly the case when the bot processes special categories of data (health, religion, sexual orientation), carries out profiling, or serves systematic monitoring purposes. A simple FAQ bot handling no personal data needs only a lean risk analysis — a customer-support bot that reads tickets requires a full DPIA.