Member Services

01 23 777 88

or complete our Contact Form


01 23 777 23

or complete our Contact Form


How to work out when a Data Protection Impact Assessment is necessary

The European Data Protection Supervisor has published its list of what types of processing operations require a Data Protection Impact Assessment (DPIA) under the new data protection rules for the EU institutions (GDPR for EUI). 

They also published a list of processing operations that do not require a DPIA. Adopted after consultation with the European Data Protection Board (EDPB), these lists aim to provide additional guidance to controllers working in the EU institutions on how to implement the new rules. It complements the advice provided in their accountability on the ground toolkit.

DPIAs are a new concept introduced under both the GDPR and the GDPR for EUI. 

They help to ensure that controllers adequately address privacy and data protection risks in certain high-risk processing operations. 

This is particularly helpful in ensuring compliance with the concept of data protection by design, which involves building data protection into new processes and technologies, as it provides a structured way of thinking about the risks to individuals and how to mitigate them.

The list identifies some common cases in which a DPIA is needed. These include:

  • exclusion databases;
  • the large-scale processing of special categories of personal data, such as disease monitoring, pharmacovigilance and central databases for law-enforcement cooperation;
  • internet traffic analysis breaking encryption;
  • e-recruitment tools that automatically pre-select or exclude candidates without human intervention.

However, the speed of technological development means that it is impossible to produce an exhaustive list of all high-risk processing operations. The list therefore also provides a set of criteria that can be used by controllers to assess whether a DPIA is required.

Publication of the EDPS list, which applies specifically to data processing operations carried out by the EU institutions, follows the publication by many other EU data protection authorities (DPAs) of their own lists on DPIAs, aimed at the organisations and businesses operating in their respective countries.



If you would like to learn more about how to do a Data Protection Impact Assessment it is covered as a module on our European Certified Data Protection Officer Course or contact us for a free data protection consultation at

Share this article!