"When is a DPIA mandatory? Where a processing is “likely to result in a high risk”.
The GDPR does not require a DPIA to be carried out for every processing operation which may result
in risks for the rights and freedoms of natural persons.
The carrying out of a DPIA is only mandatory
where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”
(Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)).
It is particularly
relevant when a new data processing technology is being introduced.
In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is
carried out nonetheless as a DPIA is a useful tool to help data controllers comply with data protection
Even though a DPIA could be required in other circumstances, Article 35(3) provides some examples
when a processing is “likely to result in high risks”:
- “(a) a systematic and extensive evaluation of personal aspects relating to natural persons
which is based on automated processing, including profiling, and on which decisions are
based that produce legal effects concerning the natural person or similarly significantly affect
the natural person10
- (b) processing on a large scale of special categories of data referred to in Article 9(1), or of
personal data relating to criminal convictions and offences referred to in Article 1011
- (c) a systematic monitoring of a publicly accessible area on a large scale”.
As the words “in particular” in the introductory sentence of Article 35(3) GDPR indicate, this is
meant as a non-exhaustive list. There may be “high risk” processing operations that are not captured
by this list, but yet pose similarly high risks. Those processing operations should also be subject to
For this reason, the criteria developed below sometimes go beyond a simple explanation of
what should be understood by the three examples given in Article 35(3) GDPR.