The Data protection impact assessment (DPIA) is one of the central instruments of the General Data Protection Regulation (GDPR) for identifying and minimizing risks at an early stage. It is particularly relevant in the case of new technologies and where personal data is processed in a way that a high risk to the rights and freedoms of natural persons could result.
But: When is a DPIA specifically required? What criteria apply? And how can typical use cases such as Profiling or Video surveillance in compliance with data protection regulations?
What is a DPIA and what is it for?
The data protection impact assessment is a structured procedure according to Art. 35 GDPR. It must include a systematic description of the planned processing operations, an assessment of the necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of data subjects and the planned remedial measures - in particular safeguards, security measures and procedures that ensure the protection of personal data and demonstrate compliance with the GDPR.
It systematically assesses the risks of any planned processing of personal data - for example in the context of a new software solution, an HR tool or the Processing of sensitive data.
The aim of the DSFA is to, Technical and organizational measures to minimize risk to be defined. In this way, companies are not only fulfilling a legal obligation, but also showing active Privacy-by-Design and strengthen their compliance.
When is a data protection impact assessment mandatory?
A DPIA must be carried out if the data processing is likely to entail a high risk. The GDPR does not contain an exhaustive list, but does name key risk scenarios:
- Systematic and comprehensive assessment of personal characteristicse.g. through Automated decision making or Scoring procedure
- Processing of special categories of personal data in accordance with Art. 9 GDPR (e.g. health or biometric data)
- Surveillance of publicly accessible arease.g. video surveillance
- Use of new technologieswhere the impact on those affected is difficult to assess
In addition, supervisory authorities publish national Positive lists, such as the list of processing activities of the Data Protection Conference (DSK). This specifies data processing operations for which the DSFA obligation unquestionable exists.
DSFA criteria: When is there a "high risk"?
The former Article 29 Working Party has identified nine criteria to help with the risk assessment. If two or more of these characteristics are fulfilled, a DPIA should be carried out:
- Evaluation or classification (e.g. creditworthiness check)
- Automated decisions with legal effect
- Systematic monitoring
- Processing of sensitive data (health, ethnicity, political opinion, etc.)
- Processing on a large scale
- Merging data records from different sources
- Processing of data of vulnerable persons (e.g. children, employees)
- Use of innovative technologies
- Restriction of data subject rights through processing
These criteria are not final and do not release you from the obligation to carry out an individual risk assessment in each case - even if only one of the criteria is met, but they do provide clear guidance, When a DPIA is required.
Practical examples: In these cases, a DPIA is usually mandatory
In practice, there are numerous scenarios in which a data protection impact assessment is not only recommended, but also required by law. This applies in particular to processing activities in which sensitive data is collected, extensively evaluated or automated decisions are made. The following is a list of typical scenarios in which a DPIA must be carried out regularly:
One example is the introduction of a new HR management system that carries out algorithmic assessments of employees or applicants. As soon as automated decision-making with possible effects on the data subject takes place, a DPIA must be carried out.
Another example is the Use of artificial intelligence (AI) in the selection of applicants. When systems make predictions about suitability from CVs and behavioral data, for example, there is a high risk in terms of the GDPR, particularly with regard to transparency and non-discrimination.
Also with the Location tracking of field staff via GPS-based systems, the DPIA obligation often applies, as this involves comprehensive monitoring in real time and an invasion of privacy.
Another prominent field of application is the Online trackingespecially when using tracking cookies, fingerprinting techniques or similar user profiling technologies. There is an increased risk here with regard to the traceability, consent and informational self-determination of users.
Last but not least, the Video surveillance A classic example of where a DPIA is regularly required is in publicly or non-publicly accessible rooms - especially if data is systematically recorded, evaluated or linked to other data sources.
These practical examples make it clear that the obligation to carry out a data protection impact assessment affects many modern business processes, regardless of the size of the company. Medium-sized companies in particular should check at an early stage whether their planned processing activities fall under the DPIA obligation in order to avoid liability risks and consistently protect the rights of data subjects.
How does a data protection impact assessment work?
Conducting a data protection impact assessment is a structured, multi-stage process consisting of several phases. The aim is to systematically evaluate the potential impact of a planned processing of personal data and to take appropriate measures to mitigate it.
The first step is the Detailed description of the processing operations. The purpose, type, scope, context and technologies used for processing are documented. This also includes identifying the groups of data subjects and the categories of data to be processed.
Subsequently, the Necessity and proportionality of the processing. This involves analyzing whether the planned processing is based on a legal basis and whether there are less intrusive alternatives to achieve the same purpose. This step is crucial for compliance with the principles of data minimization and purpose limitation.
The third step is the Risk analysisWhat are the risks to the rights and freedoms of data subjects? Possible damages such as discrimination, identity theft, economic damage or loss of control over personal data are assessed here. The likelihood of these risks occurring and the impact they would have in an emergency must be assessed.
In the fourth step Appropriate risk mitigation measures derived. These include both technical (e.g. encryption, pseudonymization, access restrictions) and organizational measures (e.g. training, data protection guidelines, control mechanisms). The aim is to reduce the risk to an acceptable level.
The next step is the Documentation of the results. This is essential for accountability in accordance with Art. 5 Para. 2 GDPR. The DPIA must be prepared in such a way that it is comprehensible in the event of an audit by the supervisory authority.
Finally, it must be checked whether a high risk remains for the data subjects despite all the measures taken. If this is the case, the GDPR provides for a Consultation with the data protection supervisory authority in accordance with Art. 36 GDPR. Processing may only begin once this consultation has been carried out and evaluated.
What happens if it is not carried out?
Failure to carry out a legally required data protection impact assessment (DPIA) can have significant legal, financial and reputational consequences for companies. Art. 83 para. 4 lit. a of the GDPR explicitly stipulates that a breach of the obligation to carry out a DPIA can be punished with a fine of up to €10 million or up to 2 % of the total global annual turnover generated in the previous financial year, whichever is higher.
In addition to the abstract threats of fines, there are now numerous specific cases in practice: In 2020, the French data protection supervisory authority CNIL imposed a fine of 2.25 million euros on the retail company Carrefour because, among other things, the risk assessments and the associated transparency obligations were inadequate. In Germany, too, authorities such as the State Commissioner for Data Protection and Freedom of Information (LfDI) in Baden-Württemberg have already imposed severe sanctions on companies that have carried out high-risk processing operations without a prior DPIA.
In addition to the financial risk, there is also a considerable loss of reputation: data protection breaches are often communicated publicly - especially in the case of high fines or severely affected groups of people. This can have a lasting negative impact on the trust of customers, employees and business partners. In addition, a lack of DPIA increases the likelihood of complaints from data subjects, investigations by supervisory authorities and, if necessary, civil lawsuits.
Conduct a legally compliant data protection impact assessment with Ailance DSFA
To make this process efficient, standardized and audit-proof, we offer 2B Advice with Ailance DSFA offers a digital solution that supports the entire DPIA process in accordance with Art. 35 GDPR. The software guides you through all the necessary steps in a structured manner, offers industry-specific templates, automatically checks for risk criteria and documents the results in a complete and audit-proof manner. In addition, Ailance DSFA is modularly expandable, can be used in multiple languages and is suitable for both individual data protection officers and group-wide data protection organizations.
With Ailance DSFA you retain control of your data protection impact assessments at all times - regardless of whether you manage individual projects, complex system landscapes or decentralized teams.
👉 Find out more about Ailance DSFA now or arrange a personal consultation with our DPIA experts. Together, we will strengthen your data protection compliance - efficiently, scalably and legally compliant.
English 
German 
Italian 
French