The data protection impact assessment (DPIA) takes a closer look: When and under what conditions is it to be carried out?

von Swen

A data protection impact assessment (DPIA) is intended to enable a comprehensive risk assessment of data processing operations. This is what Art. 35 GDPR requires.

According to Art. 35 GDPR, a DSFA must be carried out in the following three cases:

1. The form of processing, in particular the use of new technologies, due to the type, scope, circumstances and purposes of the processing is likely to result in a high risk for the rights and freedoms of natural persons (Art. 35 (1) GDPR) .

2. The processing falls under one of the standard examples from Art. 35 Para. 3 GDPR. Which includes:

a) The systematic and comprehensive assessment of personal aspects of natural persons, which is based on automated processing including profiling and which in turn serves as the basis for decisions that have legal effects on natural persons or affect them in a similarly significant manner.

b) The extensive processing of special categories of personal data in accordance with Article 9 (1) GDPR or personal data on criminal convictions and offenses in accordance with Article 10 GDPR.

c) The systematic extensive monitoring of publicly accessible areas.

3. The processing is on a list in accordance with Art. 35 Para. 4 GDPR:

But under what conditions and at what point in time should a DPIA be carried out? We take a detailed look at the DPIA in the following article.

When is a data protection impact assessment carried out?

A DPIA must be carried out if the processing of personal data results in particular risks for those affected. This can e.g. the processing of special categories of personal data as well as the processing of personal data to evaluate a natural person.

Here are some examples:

Personality tests or scoring But: no DPIA is required, for example, for pure employee surveys that do not allow any conclusions to be drawn about specific employees.

Processing / storage of health data are often part of personnel processes (e.g. in the field of occupational medicine, health care, for aptitude tests in personnel questionnaires), but it also occurs in all classic sectors of the health industry and related service companies.

Video surveillance in premises and buildings such as parking lots, shopping centers or even in buses

Processing of personal data using techniques that allow the creation of movement profiles (e.g. GPS – location via vehicle, smartphone, etc.)

How and by whom is the assessment carried out to determine whether a DPIA is necessary?

The decision as to whether a data protection impact assessment is carried out is made by the “responsible body” (the company), while the data protection officer is on hand to provide advice. The determination of whether a DPIA is necessary or not should already be determined when checking the documentation of the respective processing activities! Attention: There is an OBLIGATION under data protection law to carry out a DPIA for certain processing operations. Failure to do this constitutes a data protection violation! (Aid for recognizing a processing process of the DPIA is required:

If in doubt, you are always well advised to ask your data protection officer!

How is the DPIA carried out?

The person responsible carries out the DPIA with the advisory support of the data protection officer, naming a knowledgeable “project team” that is adapted to the respective processing activity. Your data protection officer knows the individual project steps of the DPIA. These bring the necessary knowledge to light and guarantee absolute transparency about risks and residual risks by documenting them. This is the only way to ensure that it is recognized which effective measures (TOM) have to be taken and maintained in order to be able to adequately protect the rights of those affected.

Catching up on a DPIA that has not been duly omitted

If a DPIA is not carried out despite a legal obligation, this is a violation according to. Art. 83 para. 4 lit. A in conjunction with Art. 35 para. 1 GDPR. Beware of fines or sanctions risk: The subsequent implementation of a DPIA can make the imposition of a fine unnecessary. Recommendation: Make all processing activities transparent to your DPO. Establish a process with him to identify processing activities that are subject to DPIA.


Important to know: Even if the person responsible comes to the conclusion that no DPIA is required, this must be documented in writing (accountability).

Time frame of a DPIA: A standardized process facilitates and accelerates the implementation of a DPIA. Nevertheless: plan enough time for careful work!

A DPIA that has been carried out can also become an object of examination by a supervisory authority!


Do you have any questions on this topic or are you looking for a competent external data protection officer? Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!


Swen bringt 18 Jahre Berufserfahrung als HR- Businesspartner, Account Manager und Führungskraft mit. Darüber hinaus hat er sich in Schnittstellenfunktionen zwischen IT Sicherheit und Datenschutz umfangreiches Know – How angeeignet. „Als zertifizierter Datenschutzbeauftragter, betreue und berate ich sie gerne bei der Umsetzung der DSGVO.“