Skip to main content
All CollectionsCompliance
When do I need a Data Protection Impact Assessment (DPIA)?
When do I need a Data Protection Impact Assessment (DPIA)?
Alex Franch Tapia avatar
Written by Alex Franch Tapia
Updated over 3 months ago

Article 35(3) sets out three types of processing which always require a DPIA:

  1. Systematic and extensive profiling with significant effects: “(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”

  2. Large scale use of sensitive data: “(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”

  3. Public monitoring: “(c) a systematic monitoring of a publicly accessible area on a large scale.”

The ICO is required by Article 35(4) to publish a list of processing operations that require a DPIA.

  1. Innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including AI). A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.

  3. Large-scale profiling: any profiling of individuals on a large scale.

  4. Biometrics: any processing of biometric data. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  5. Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  6. Data matching: combining, comparing or matching personal data obtained from multiple sources

  7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  8. Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  9. Targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.

  10. Risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.

Related Articles
Do we need to share the list of tools and third parties we use? Is it a security risk?
How do I change the examples for the personal data categories in my privacy policy?
How to reply to a Data Subject Access Request?
[Checklist] Data Processing Agreement
Choosing a Data Retention Period for UK companies
Did this answer your question?