The data controller shallcarry out an assessment – a DPIA – of the impact of the envisaged processing operations on the protection of personal data, when thetype of processing is likely to result in a high risk to the rights and freedoms of natural persons.This assessment must be done prior to the processing and, in particular if using new technologies, must take into account the nature, scope, context and purposes of the processing.

A single DPIAmay address a set of similar processing operations that present similar high risks, as stated in Article 39 of Regulation 2018/1725.