How to identify processing operations subject to a DPIA
According to the European Data Protection Board (EDPB), the drafting of a DPIA is mandatory when 2 criteria from the list below are met.
Conversely, an impact assessment is not required for certain types of operations, notably:
- the processing involves the collection of personal data on a large scale;
- the processing involves combining data;
- the processing involves systematic monitoring;
- the processing involves an evaluation (scoring, profiling);
- the processing is based on automated decision-making;
- the processing involves the collection of sensitive data or highly personal data (bank card number…);
- the processing involves the collection of data from vulnerable persons;
- the processing involves the use of innovative technology;
- the processing has the effect of excluding the benefit of a right or contract (blacklists…).
