According with Article 35 of the Regulation 2016/679 GDPR, a Data Protection Impact Assessment (DPIA), is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data, by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation.

When is a DPIA mandatory?

The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

In this sense, Article 35(3) GDPR, provides some examples when a processing operation is “likely to result in high risks”:

– “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person12;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1013; or

(c) a systematic monitoring of a publicly accessible area on a large scale”.

In order to make it easier for data controllers to identify processing operations requiring a DPIA, the GDPR provides that the supervisory authorities must publish a list of processing operations requiring a DPIA. This list has to be communicated to the European Data Protection board.


Who is obliged to carry out the DPIA?

The controller is responsible for ensuring that the DPIA is carried out (Article 35(2)). Carrying out the DPIA may be done by someone else, inside or outside the organization, but the controller remains ultimately accountable for that task.

If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information.