When Is a DPIA Legally Mandatory Under GDPR? A Definitive Guide

GDPR Article 35: The Legal Foundation

Article 35(1) of the GDPR states that a DPIA is required when a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The key phrase is "likely to result in a high risk"—it is a forward-looking assessment, not a post-incident response.

The Three Explicitly Required Scenarios

Article 35(3) lists three scenarios where a DPIA is always required:

1. Systematic and extensive evaluation of personal aspects: This includes profiling and automated decision-making that produces legal or similarly significant effects on individuals (e.g., credit scoring, automated recruitment screening).
2. Large-scale processing of special categories of data: Processing health records, biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, or criminal convictions on a large scale.
3. Systematic monitoring of publicly accessible areas on a large scale: Such as citywide CCTV surveillance, public Wi-Fi tracking, or facial recognition in public spaces.

The EDPB/WP29 Nine Criteria

The European Data Protection Board (formerly WP29) provides additional guidance with nine criteria. If your processing meets two or more of these criteria, a DPIA is generally required:

1. Evaluation or scoring (including profiling and predicting)
2. Automated decision-making with legal or significant effect
3. Systematic monitoring
4. Sensitive data or data of a highly personal nature
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects (children, employees, patients)
8. Innovative use or applying new technological or organizational solutions
9. Processing that prevents data subjects from exercising a right or using a service or contract

National DPA Blacklists

Under Article 35(4), each national Data Protection Authority publishes a list of processing operations that always require a DPIA within their jurisdiction. These "blacklists" go beyond the GDPR's general criteria. For example:

• The French CNIL requires DPIAs for processing health data for research, genetic data processing, and biometric processing for access control.
• The German DSK includes employee monitoring, scoring, and video surveillance.
• The UK ICO lists processing for invisible or unexpected tracking, automated decision-making for access to services, and processing genetic or biometric data.

When a DPIA Is Not Required

Article 35(5) allows DPAs to also publish "whitelists" of processing that does not require a DPIA. Additionally, a DPIA is not required when:

• The processing is not likely to result in high risk (based on the criteria above).
• A similar DPIA has already been conducted for a very similar processing operation.
• The processing was authorized before May 25, 2018, and conditions have not changed (though this is a narrow exception that shrinks over time).

The Consequences of Non-Compliance

Failing to conduct a required DPIA can result in administrative fines of up to EUR 10 million or 2% of global annual turnover under Article 83(4)(a) of the GDPR. More practically, it also means you are processing data without understanding the risks, increasing the likelihood of a breach and the associated costs.

Jerisaliant's DPIA module includes a built-in screening questionnaire that automatically determines whether a DPIA is required based on EDPB criteria and jurisdiction-specific DPA blacklists.