The data protection impact assessment pursuant to Art. 35 DSGVO is mandatory for high-risk processing activities. Learn when it applies, how to structure the process and which mistakes to avoid.
Data Protection Impact Assessment: When Is It Mandatory?
Few instruments of the DSGVO generate as much uncertainty in practice as the data protection impact assessment (DPIA). Many companies know that it exists, yet the question of exactly when a DPIA must be carried out and what it must contain in concrete terms frequently remains unanswered. Non-compliance may result in substantial fines. This article provides you with a practice-oriented guide to correctly classify the DPIA obligation and structure the process efficiently.
Legal Basis: Art. 35 DSGVO at a Glance
The data protection impact assessment is governed by Art. 35 of the General Data Protection Regulation (DSGVO). Pursuant to paragraph 1, a DPIA must be carried out whenever a form of processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. The use of new technologies must be taken into particular account.
The DPIA is not a one-off exercise but an ongoing process. If the circumstances of the processing change, the existing DPIA must be reviewed and updated as necessary.
Distinction from the General Risk Analysis
An important distinction: the DPIA goes beyond the general risk assessment that you should carry out in any event as part of your data protection management. While the general risk analysis covers all processing activities, the DPIA applies only to processing with a likely high risk. It is, in effect, the in-depth review for particularly critical data processing operations.
When Is a DPIA Mandatory?
The Three Standard Examples of Art. 35(3) DSGVO
The legislator sets out three categories in Art. 35(3) DSGVO in which a DPIA is particularly required:
- Systematic and extensive evaluation of personal aspects (profiling): this covers automated processing, including profiling, on the basis of which decisions are taken that produce legal effects concerning natural persons or similarly significantly affect them.
- Large-scale processing of special categories of personal data: where health data, biometric data, data on political opinions or other sensitive data pursuant to Art. 9 DSGVO are processed on a large scale, a DPIA must be carried out.
- Systematic extensive monitoring of publicly accessible areas: this concerns in particular video surveillance systems in publicly accessible spaces.
The Blacklist of the Supervisory Authorities
In addition to the standard examples, the German supervisory authorities have published a so-called blacklist (also: must-list) pursuant to Art. 35(4) DSGVO. This list contains specific processing activities for which a DPIA must be carried out. Among the cases listed are:
- Use of scoring procedures to assess creditworthiness
- Large-scale processing of employee data for behavioural and performance monitoring
- Creation of comprehensive profiles of the interests, locations or movements of natural persons
- Aggregation of personal data from different sources (data warehousing)
- Use of artificial intelligence for the processing of personal data to control interaction with data subjects
- Processing of data subject to social, professional or official secrecy
The blacklist is not exhaustive. Processing activities not on the list may also require a DPIA if they carry a high risk.
Practical Examples from Business Operations
To make the DPIA obligation tangible, here are some concrete scenarios:
- Video surveillance in the workplace: comprehensive video surveillance in office or production premises regularly requires a DPIA, as employees are systematically monitored.
- GPS tracking of company vehicles: if the location of company vehicles is continuously recorded to monitor routes or working hours, systematic monitoring exists.
- AI-based applicant screening: automated pre-selection of applications by algorithms constitutes profiling that triggers a DPIA.
- Customer loyalty programmes with profiling: if you create detailed customer profiles from purchasing behaviour, location data and demographic information, a DPIA is required.
The DPIA Process Step by Step
Step 1: Threshold Analysis
Before carrying out a full DPIA, a threshold analysis is recommended. This preliminary check serves to determine whether a high risk exists at all and a DPIA is necessary. Document the result of the threshold analysis carefully. Even a negative result (no DPIA required) should be substantiated in a comprehensible manner.
Step 2: Systematic Description of the Processing
If a DPIA is required, begin with a detailed description of the planned processing operations:
- Purpose of the processing: what objective are you pursuing?
- Types of data: what personal data are being processed?
- Data subjects: who is affected by the processing?
- Recipients of the data: to whom are the data disclosed?
- Retention period: how long are the data stored?
- Technical and organisational measures: what safeguards are in place?
- Legal basis: on what legal basis is the processing carried out?
Step 3: Assessment of Necessity and Proportionality
Examine whether the planned processing is necessary and proportionate in relation to the purpose pursued. Are there less intrusive means that achieve the same purpose without creating such a high risk for the data subjects? This assessment is a central component of the DPIA and must not be dealt with in a merely formulaic manner.
Step 4: Risk Assessment
Assess the risks to the rights and freedoms of the data subjects. Take into account:
- Likelihood of occurrence: how probable is it that the risk materialises?
- Severity of harm: what impact would a materialisation of the risk have on the data subjects?
The risks should be presented in a matrix that accounts for both the likelihood of occurrence and the severity of harm. Typical risk categories include: physical, material or non-material damage, discrimination, identity theft, financial losses, reputational damage or loss of confidentiality.
Step 5: Define Remedial Measures
For each identified risk, you must define remedial measures that reduce the risk to an acceptable level. Typical measures include:
- Pseudonymisation and encryption
- Access restrictions and authorisation concepts
- Regular review and deletion
- Staff training
- Transparency towards data subjects
The Role of the Data Protection Officer
Pursuant to Art. 35(2) DSGVO, the advice of the data protection officer must be sought when carrying out a DPIA, provided one has been appointed. The data protection officer has an advisory role. Responsibility for carrying out the DPIA and for the resulting decisions remains with the controller, i.e. generally with the management.
In practice, it is advisable to involve the data protection officer from the outset. Their expertise can help to identify risks early and determine appropriate remedial measures.
Consultation of the Supervisory Authority Under Art. 36 DSGVO
If the DPIA reveals that the processing would, despite all remedial measures, continue to entail a high residual risk, the controller is obliged pursuant to Art. 36 DSGVO to consult the competent supervisory authority prior to the processing. This so-called prior consultation is rare in practice but should not be overlooked. The supervisory authority may, in the course of the consultation, issue recommendations or prohibit the processing.
Documentation and Link to the Record of Processing Activities
The DPIA must be comprehensively documented. Proper documentation comprises:
- Description of the processing operations and purposes
- Assessment of necessity and proportionality
- Result of the risk assessment
- Planned remedial measures
- Opinion of the data protection officer
- Date and responsible persons
The DPIA should also be linked to your record of processing activities (Art. 30 DSGVO). Ideally, the relevant entries in the record refer to the associated DPIA and vice versa. This creates a consistent and complete data protection documentation.
Common Mistakes in Practice
Mistake 1: DPIA Treated as a Mere Formality
Many companies prepare a DPIA merely as a compliance exercise, without actually analysing the risks in depth. Such a pro-forma DPIA will not withstand scrutiny by the supervisory authority.
Mistake 2: Failure to Update
A DPIA is not a one-off document. If the circumstances of the processing change, for example through the use of new software, new data recipients or changed purposes, the DPIA must be reviewed and adjusted.
Mistake 3: Data Protection Officer Not Involved
Bypassing the data protection officer constitutes not only a procedural error but also wastes valuable expertise.
Mistake 4: No Threshold Analysis
Without a documented threshold analysis, you cannot subsequently demonstrate why you dispensed with a DPIA. This can prove problematic in the event of a regulatory audit.
Conclusion
The data protection impact assessment is an indispensable instrument of risk-based data protection management. It protects not only the rights of data subjects but also your company from regulatory action and reputational damage. The key is to regard the DPIA not as a bureaucratic hurdle but as an opportunity to systematically review and improve data processing operations.
At compleneo, we support companies in establishing a practical DPIA process, from the threshold analysis through the risk assessment to the complete documentation. Contact us if you have questions about the data protection impact assessment or need support with implementation.
