When is a DPIA Required? GDPR Article 35 Explained

Data Protection Impact Assessments (DPIAs) are mandatory under GDPR Article 35 when processing is "likely to result in a high risk" to individuals. But what exactly triggers this requirement? This guide breaks down the legal criteria, regulatory guidance, and practical decision-making process.

Article 35 Mandatory DPIA Triggers

GDPR Article 35(3) explicitly requires a DPIA for these processing types:

• Systematic and extensive profiling with significant effects on individuals
• Large-scale processing of special category data (Article 9) or criminal conviction data (Article 10)
• Systematic monitoring of publicly accessible areas on a large scale

EDPB High-Risk Criteria

The European Data Protection Board (formerly Article 29 Working Party) established nine criteria for identifying high-risk processing. Meeting TWO or more typically triggers the DPIA requirement:

• Evaluation or scoring (including profiling and predicting)
• Automated decision-making with legal or significant effects
• Systematic monitoring of individuals
• Processing of sensitive or highly personal data
• Large-scale data processing
• Matching or combining datasets
• Data concerning vulnerable subjects (employees, children, patients)
• Innovative use or applying new technologies
• Processing that prevents individuals from exercising rights or accessing services

Practical Examples

DPIA Required:

• AI-powered recruitment screening (profiling + automated decisions + innovative tech)
• Employee monitoring software (systematic monitoring + vulnerable subjects)
• Customer loyalty program with behavioral analytics (profiling + large scale)
• Health app processing biometric data (sensitive data + innovative use)
• CCTV with facial recognition in retail (systematic monitoring + biometric data)

DPIA Likely NOT Required:

• Standard payroll processing (established process, limited scope)
• Basic customer contact database (minimal risk, no profiling)
• Email newsletter with consent (simple processing, easy opt-out)
• Single practitioner medical records (not large scale despite sensitive data)

DPIA Process Under Article 35(7)

When a DPIA is required, Article 35(7) mandates these elements:

• Systematic description of processing operations and purposes
• Assessment of necessity and proportionality
• Assessment of risks to rights and freedoms
• Measures to address risks (safeguards and security measures)

When to Conduct the DPIA

The ideal timing is during the design phase of new projects, systems, or processing activities. This allows privacy-by-design principles to shape the implementation rather than retrofit controls afterward.

DPO Consultation Requirement

Article 35(2) requires organizations to seek the advice of their Data Protection Officer when carrying out a DPIA. If you don't have a DPO, consider engaging external expertise for high-risk assessments.

Prior Consultation with DPA

Under Article 36, if your DPIA identifies high residual risks that cannot be mitigated, you must consult your supervisory authority before proceeding. The DPA then has 8 weeks (extendable) to provide written advice.

Documenting Your DPIA Decision

Even when you determine a DPIA isn't required, document your reasoning. This demonstrates accountability and provides audit evidence. Record which criteria you assessed and why you concluded the processing doesn't meet the high-risk threshold.

Streamlining DPIA Compliance

Manual DPIA processes often result in inconsistent assessments, missed reviews, and documentation gaps. A structured DPIA tool ensures you evaluate all required criteria, maintain version history, and generate audit-ready reports.