The GDPR requires a DPIA when the data processing is likely to result in a high risk to the rights and freedoms of natural persons. The developers, unsure if the processing poses such risks, decide to asses the processing adopting the aforementioned nine criteria suggested by the Article 29 Working Party.

Criteria for high-risk processing
Evaluation or scoring (e.g., profiling)	✗	Does not apply
Automated-decision makingwithlegal or similar significant effect	✗	Does not apply
Systematic monitoring	✗	Does not apply
Sensitive data or dataof a highly personal nature	✓	Applies (see below)
Data processed on a largescale	✓	Applies (see section)
Matching or combining datasets (beyond reasonable expectations of data subject)	✗	Does not apply
Data concerning vulnerable data subjects	✗	Does not apply
Innovative use or applying new technological or organizational solutions	✗	Does not apply (see below)
When the processing in itself prevents data subjects from exercising a right or using a service or a contract	✗	Does not apply

The assessment reveals that the processing satisfies at least two criteria. The first one regards the type of personal data that are going to be processed. Since, in the context of this research activity, palmprints have been established as biometric data, the developers conclude that these data satisfy the criterion of being sensitive and of a highly personal nature. The second criterion regards the scale of the processing. The developers already established that the processing qualifies as a ‘large scale’ one (see ‘Appoint a Data Protection Officer (DPO)’).

The developers interrogate themselves also on the ‘Innovative use or applying new technological or organizational solutions’ criterion. It does not apply since the activity is focused on research and concrete application to an organizational context is not envisioned in the current activity.

Data Protection Impact Assessment
Is the processing a ‘high risk’ one	Yes	✓	DPIA is mandatory
	No		DPIA is optional