In what cases must I carry out a DPIA? Are there lists of processing activities that require a DPIA?
Home » The GDPR » Main Tools and Actions » Data Protection Impact Assessment (DPIA) » In what cases must I carry out a DPIA? Are there lists of processing activities that require a DPIA?

The Article 29 Working Party has provided the most universally applicable guidance for this question[1]. On this basis, many supervisory authorities have issued more specific guidance in their national language, focusing on their national concerns.

The guidance provides a procedure for establishing whether a processing activity is “likely to result in a high risk for the rights and freedoms of natural persons”, i.e., whether a DPIA is required. It consists of nine criteria about the processing activity. For each criterion, the controller has to decide (and document) whether it is relevant for the processing activity at hand. The working party’s guidance includes examples that illustrate this.

In particular, the nine criteria pertain to the following:

  1. Evaluation or scoring;
  2. Automated decision-making with legal or similar significant effect;
  3. Systematic monitoring;
  4. Sensitive data or data of a highly personal nature;
  5. Data processed on a large scale;
  6. Matching or combining datasets;
  7. Data concerning vulnerable data subjects;
  8. Innovative use or applying new technological or organizational solutions;
  9. Prevents data subjects from exercising a right or using a service or a contract;

Based on the assessment of these criteria, the decision is made whether the processing likely results in a high risk: “In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out.”[2] This is only indicative, however, and a controller may decide that:

  • a processing meeting only one of these criteria requires a DPIA;[3]
  • a processing meeting (at least) two criteria is still not likely to result in a high risk[4].

In the latter case the controller has to justify this decision. In any case, to demonstrate compliance (Article 5(2) GDPR), the procedure to determine whether a DPIA is needed should be documented.

As additional guidance, (national) supervisory authorities must publish a list of the kind of processing operations which require a DPIA (Article 35(4) GDPR) and may also publish a list of operations where a DPIA is not necessary (Article 35(5) GDPR). These lists are presented to the EDPB, and published at the EU level[5]; in practice these publications can act as an accessible repository of national level DPIA requirements and expectations.

We advise to follow either the national procedure or that provided by the Article 29 Working Party and document it even if it shows that a DPIA is not necessary.
 

References

1See wp248rev.01, Section III.B., pages 8-13. Download link is contained in Footnote 137.

2wp248rev.01, Section III.B., page 11, 2nd paragraph, highlighting added by authors.

3wp248rev.01, Section III.B., page 11, 3rd paragraph.

4wp248rev.01, Section III.B., page 12, 2nd paragraph

5See https://edpb.europa.eu/our-work-tools/our-documents/topic/data-protection-impact-assessment-dpia_en

Skip to content