Skip to main content
Datenschutz / DSGVO

Data Protection Impact Assessment (DPIA)

A structured risk analysis required by Art. 35 GDPR before processing activities that are likely to result in a high risk to the rights of data subjects.

A Data Protection Impact Assessment (DPIA) is a structured procedure for assessing risks before a processing activity is put into operation, where that activity is likely to result in a high risk to the rights and freedoms of natural persons. Art. 35 GDPR sets out illustrative cases where a DPIA is mandatory: systematic and extensive profiling with significant effects on individuals, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas.

A DPIA must contain at least the following elements: a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing in relation to its purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address the risks including safeguards and security measures. If the residual risks remain high after applying the planned measures, the competent supervisory authority must be consulted prior to commencing the processing (Art. 36 GDPR).

Compliance officers should take a proactive approach: even at the planning stage of new projects, a threshold analysis should be used to determine whether a DPIA is required. Supervisory authorities have published lists of processing types that are always subject to a mandatory DPIA. Once completed, a DPIA must be documented, regularly reviewed, and updated whenever the processing activity changes materially. The involvement of the Data Protection Officer is a legal requirement under Art. 35(2) GDPR.

Legal Basis

Art. 35 GDPR

Practical Example

Your organisation plans to introduce an AI-based recruitment management system that automatically analyses CVs and ranks applicants using algorithmic scoring. As compliance officer, you recognise that this constitutes automated decision-making with significant effects on data subjects. You initiate a DPIA, identify risks including potential algorithmic bias and insufficient transparency for applicants, and recommend measures such as mandatory human review of all negative decisions, a detailed privacy notice, and regular bias audits. Only after these measures have been implemented and the Data Protection Officer has signed off do you approve the system for production use.

FAQ

A DPIA is mandatory when a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. This applies in particular to profiling, large-scale processing of special categories of data, and systematic video surveillance. Supervisory authorities have published binding lists of processing types that always require a DPIA.
A DPIA typically follows four steps: describing the processing, assessing its necessity and proportionality, analysing the risks to data subjects, and defining risk mitigation measures. The Data Protection Officer must be consulted. If high residual risks remain, the supervisory authority must be consulted before the processing begins.
Yes. A DPIA is not a one-off document — it must be reviewed and updated whenever the processing activity changes materially. Even without changes, a periodic review is recommended, at least every two to three years.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Technical and Organisational Measures (TOMs) Risk Assessment Data Protection Officer (DPO) Accountability
Back to Glossary