GDPR Art. 35 DPIA trigger threshold — when does 'likely to result in high risk' actually apply?

Article 35 requires a DPIA when processing is 'likely to result in a high risk to the rights and freedoms of natural persons.' The WP29 guidelines list 9 criteria, but the threshold for 'likely' vs 'possible' remains ambiguous. Jurisdiction: EU, DE, AGNOSTIC Specific scenarios where we're unsure: - Internal analytics dashboards that include employee performance metrics - Customer segmentation using purchase history + basic demographics (no sensitive data) - Log aggregation that captures IP addresses for security monitoring How do other DPOs/compliance teams draw the line? Looking for practical heuristics from people who've defended their DPIA decisions to a supervisory authority.