Q: When is a Data Protection Impact Assessment (DPIA) required?
A: A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
processing of sensitive data on a large scale;
systematic monitoring of public areas on a large scale.
National Data Protection Authorities
, in concertation with the European Data Protection Board
, may provide lists of cases where a DPIA would be required. The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that can’t be mitigated by the measures put in place, the DPA must be consulted prior to the start of the processing.
A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour.
DPIA not required
A doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the doctors isn’t done on a large scale in cases where the number of patients is limited.
Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation (EU) 2016/679, 4 April 2017
Articles 35 and 36 and Recitals (89) to (96) of the GDPR
The above FAQ was included on the European Commission’s website, which can be located here: