When is there a need for a DPIA?
When is there a need for a DPIA?
A DPIA is mandatory for (envisaged) data processing operations which, given their nature, context and objective, represent a high risk to privacy. There is certainly a high risk in the following cases:
– If you assess individuals on the basis of personal characteristics and base decisions on those characteristics. This includes profiling and forecasting;
– If you process sensitive personal data, such as data regarding health, data on crime or political preferences, on a large scale;
– If you monitor people in public places systematically and on a large scale (e.g. camera surveillance).
In all other instances you must decide for yourself whether an operation entails a “high risk”. If your processing operation meets two or more of the criteria in our DPIA guide, you can assume that you must carry out a DPIA (see our DPIA short version and DPIA long version).