When is DPIA Required?

Legal Criteria (GDPR Article 35)

The GDPR establishes that DPIA is mandatory when processing is likely to result in high risk. There are 3 situations that automatically trigger this obligation.

🔍

Systematic Profiling

Article 35(3)(a)
Systematic and extensive evaluation of personal aspects, including profile definition for analysis or prediction related to professional performance, economic situation, health, preferences or interests.

📊

Large Scale

Article 35(3)(b)
Large-scale processing of special categories of data (Art. 9) or data relating to criminal convictions and offences (Art. 10).

📷

Systematic Monitoring

Article 35(3)(c)
Systematic monitoring of publicly accessible areas on a large scale (video surveillance, facial recognition, etc.).

EDPB Criteria (WP248) — 9 Elements

The European Data Protection Board defined 9 additional criteria to assess whether processing results in high risk.

Evaluation or Scoring: Processing involves automated evaluation or scoring with legal effect or significant impact.
Automated Decisions: Processing involves automated decision-making without human intervention.
Systematic Monitoring: Extensive systematic monitoring of behaviour on a large scale.
Sensitive Data: Processing of special or sensitive data on a large scale.
Data Combination: Crossing data from different sources or novel forms of processing.
Technology Integration: Use of new technologies or innovative technological combination.
Children's Data: Involves children, minors or vulnerable groups.
Large Scale: Affects significant number of data subjects or significant volume of data.
Exclusion/Inclusion: May result in denial of access to rights, opportunities or services.

National Supervisory Authority Categories

National Supervisory Authorities have identified specific categories of processing that require mandatory DPIA regardless of case-by-case analysis.

1. Systematic processing of biometric data for identification
2. Large-scale video surveillance
3. Data analysis for automatic decision-making with legal effect
4. Systematic profiling of children or vulnerable groups
5. Genetic data
6. Health data processed on a large scale
7. Data concerning criminal convictions
8. Real-time geographic location
9. AI systems for HR management
10. Behavioral analysis for commercial purposes
11. Large-scale processing for decisions affecting rights
12. Combination of databases from different sources
13. Processing data of minors for marketing purposes
14. Facial recognition systems
15. Analysis of online behaviour patterns
16. Population segmentation for exclusion
17. Processing sensitive data of minorities
18. International data transfers to non-adequate countries
19. Credit scoring systems
20. Real-time worker monitoring
21. Mental health data processing
22. Data analysis for crime risk prediction

Quick Test: Do I Need a DPIA?

Answer these questions to determine if your data processing requires mandatory DPIA.

Does my processing involve systematic profiling or automated decisions? +

If you answer YES, the processing is very likely subject to mandatory DPIA. Any systematic analysis resulting in profiling, scoring or automated decisions with legal effect or significant impact triggers DPIA obligation.

Do we process sensitive data on a large scale? +

Large-scale processing of genetic data, health data, biometric data or data concerning criminal convictions requires mandatory DPIA under GDPR Article 35(3)(b).

Do we operate video surveillance or facial recognition? +

Systematic video surveillance in public spaces and any form of facial recognition require mandatory DPIA under Article 35(3)(c).

Does the processing affect children or vulnerable groups? +

Any processing involving minors, especially for behavioural analysis, marketing or pattern analysis, requires mandatory DPIA.

Do we combine data from multiple sources in novel ways? +

Crossing data from different sources in new or unanticipated ways, especially using new technologies, may trigger DPIA obligation.

Exceptions (Article 35(5) and (10))

There are situations where, despite high-risk criteria, DPIA may not be mandatory or can be simplified.

Processing Authorized by Law

If national legislation authorizes and specifically regulates processing (with its own risk assessment), full DPIA may be waived, but risk documentation is required.

Code of Conduct Compliance

Compliance with an approved code of conduct or certification by the Supervisory Authority may exempt or simplify DPIA requirements.

Previously Assessed Data

If a previous risk assessment (earlier DPIA) concludes that processing presents no high risk, automatic repetition is not necessary.

Non-Compliance Consequences

Failure to conduct mandatory DPIA results in significant administrative fines.

10M EUR

Maximum Fine (Category A)

20M EUR

Maximum Fine (Category B)

4%

Or 4% Global Turnover

Supervisory Authorities have competence to impose fines for breach of Article 35 (mandatory DPIA) and Article 36 (prior consultation).

How to Proceed

Determined that DPIA is mandatory? Learn how to proceed.

🔮

How to Conduct DPIA

Learn the structured methodology and 7 essential steps for a complete and documented DPIA.

See methodology →

📸

Common DPIA Types

Explore specific examples: video surveillance, biometrics, AI, health, geolocation and others.

See types →

📋

Professional Services

Audiqcer offers complete DPIA conducting, reviewing and training services for your organisation.

See services →

Need Guidance?

Contact us for a personalised initial assessment of your situation.

Request Diagnostic

Briefly describe your data processing context to receive personalised recommendations.