TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | WP29 proposes DPIA guidelines, shedding light on “high risk” processing Related reading: Thoughts on behavioral advertising, Meta and privacy


Among the new requirements of the European Union’s General Data Protection Regulation are the mandatory data protection impact assessments enshrined in Article 35. DPIAs are designed to evaluate processing practices, assess the necessity and proportionality of processing, and assist in managing risks to data subjects — essentially, to measure and demonstrate compliance with the GDPR. The penalties for non-compliance in fulfilling DPIA requirements are severe. Violations can result in administrative fines of up to 10 million euros or up to 2 percent of the organization’s total worldwide annual turnover for the preceding financial year.

On April 4, 2017, the Article 29 Data Protection Working Party released proposed guidelines for the GDPR’s DPIA requirements, which are open to public comment through May 23, 2017, by emailing The guidelines seek to clarify how DPIAs will function and when they are necessary.

Below are the key takeaways for data processors in understanding the newly proposed DPIA guidelines:

What does a DPIA address?

A single DPIA may address either a single data processing operation or multiple processing operations if they are similar in terms of risk, nature, scope, context, and purpose. One example of this would be a railway operator using one DPIA to cover video surveillance in all of its train stations. In this case, a single controller is using the same or similar technology for the same purpose in multiple locations. If a processing operation involves joint controllers, the DPIA must precisely set out which controller is responsible for each part of the processing operation.

Which processing operations are subject to a DPIA?

A DPIA is mandatory if the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons.” When determining whether processing is likely to result in high risk, the guidelines offer the following criteria to consider:

  • Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
  • Does the processing involve automated decision making that produces significant effect on the data subject?
  • Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
  • Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?
  • Is the data being processed on a large scale?
  • Have datasets been matched or combined?
  • Does the data concern vulnerable data subjects (as laid out in Recital 75)?
  • Is this an innovative use or does it apply technological or organizational solutions (for example, combining use of finger print and facial recognition)?
  • Are you transferring data outside the European Union?
  • Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

The guidelines offer a general rule of thumb that processing operations meeting at least two of these criteria will require a DPIA. However, a processing operation meeting only one criterion may require a DPIA depending on the circumstance. The guidelines also recommend using a DPIA when a processing operation is using new data processing technology. If in doubt over whether a DPIA is required, err on the side of caution and carry out a DPIA. Processors and controllers should note that if a processing operation is deemed “high risk” enough to warrant a DPIA, it must also fulfill the high risk obligations found in Article 36 (consulting the relevant supervisory authority before conducting the processing) and Article 34 (notifying individuals of personal data breaches).

A DPIA is not required when processing is not “likely to result in a high risk,” has already been authorized in a very similar processing, has a legal basis in EU or Member State law, or where the processing is included on the optional list established by the supervisory authority of exempted processing operations.

The DPIA requirement will apply to processing operations initiated after May 25, 2018. The Working Party strongly recommends carrying out DPIAs for processing operations that start prior to May 25, 2018, that are still in progress at that date, especially if the processing has incorporated a new technology or changed in purpose, risk, context, or source.

How to carry out a DPIA

A DPIA should be carried out prior to the actual processing. While the DPIA may be carried out by another party, the controller maintains accountability for assuring that the requirement is satisfied. The controller should consult with the Data Protection Officer (DPO) and incorporate the DPO’s advice into the DPIA. If a data processor performs all or part of the processing, the processor should also assist with the DPIA. Where appropriate, a controller should seek the views of data subjects regarding processing as well. The guidelines state that the controller should document its reasons for not seeking the views of data subjects if it deems such action not appropriate. However, the guidelines offer no guidance to determine when seeking data subjects’ views is or is not appropriate.

A DPIA must include, at minimum, four features:

  • A description of the proposed processing operation and its purpose.
  • An assessment of the processing’s necessity and proportionality.
  • An assessment of risks to data subjects.
  • Measures to address the risks and demonstrate compliance with the GDPR.

In addition, the DPIA must look at compliance with any applicable codes of conduct.

Though all of these components are necessary, the exact form and structure of each DPIA is left flexible in order to fit within each controller’s existing structure and practices. In all forms, the DPIA serves as a genuine assessment of risks and a tool for addressing those risks. The guidelines include annexes with examples of frameworks and criteria for an acceptable DPIA. The WP29 also encourages the development of sector-specific DPIA frameworks to better address particular types of processing operations.

While publishing a DPIA is not legally required, the guidelines strongly urge controllers to consider publishing all or part of their DPIAs to help foster trust in the processing operations and demonstrate transparency. This is particularly useful in cases where members of the public are affected by the processing operation, such as when public authorities carry out DPIAs. 

Consult supervisory authority if residual risks are high

In a circumstance where a DPIA identifies risks that cannot be sufficiently mitigated by the data controller, the data controller must consult the supervisory authority. This includes a situation where data subjects may encounter significant or irreversible consequences from the processing or when it seems obvious that the risk will occur. Controllers must also consult the supervisory authority when the Member State law mandates consultation for performance of a task carried out in the public interest. Requirements to retain records of the DPIA and update the DPIA still apply in these cases.


DPIAs serve to facilitate compliance with the GDPR. The WP29's proposed guidelines shed light on how controllers can prepare to implement DPIAs into their processing operations. These assessments are particularly important whenever high-risk data is processed. The guidelines therefore also help controllers and processors understand which situations present a “high risk” under the GDPR, which will be useful for construing many of the regulation’s key risk-based provisions.


If you want to comment on this post, you need to login.

  • comment Jussi Leppala • Apr 13, 2017
    It is interesting that HR data processing may exceed the DPIA threshold for many multinationals: WP29 explicitly mention that employees would often qualify as "vulnerable data subjects" because of the power imbalance of the employer-employee relationship.  Multinationals would also often need to transfer their HR data outside of the EU. Therefore, two criteria set by WP29 are met and according to their rule of thumb, a DPIA would be required.  Do you think that this was intentional?
  • comment Richard Beaumont • Apr 13, 2017
    Processing via cookies and other tracking technologies online or in apps is almost certainly going to tick many of the boxes in most cases.
    So a DPIA on a new website is likely to be mandatory on these guidelines.
  • comment Calli Schroeder • Apr 13, 2017
    Mr. Leppala - Thank you for your comment.  My guess is that it was intentional.  They use employee data as a specific example when discussing vulnerable data subjects and were clear that processing that meets at least two criteria should prompt a DPIA (and that sometimes only one criterion is necessary to prompt a DPIA).
    It's possible that the guideline draft was written intentionally broadly in the assumption that comments received would narrow the final language.  It will be interesting to see how these change before the final draft.
  • comment Calli Schroeder • Apr 13, 2017
    Mr. Beaumont - This is a great point.  It will be interesting to see if comment prompt them to specifically address cookies in the final guidelines.
  • comment Remco van den Dungen • May 16, 2017
    Interesting part is that while the DPIA has to include at least those four elements, the GDPR or WP29 do not go into full detail on that (as said in this article). This leaves room for a proportional approach, where early in the DPIA you could detect that you do not need to go into too much detail. This also seems to live by the spirit of the GDPR mentioning 'proportionate effort' and 'adequacy' at several points.
    Also, I think the HR data processing ticking off multiple checkboxes is intentional. It is often used as an example of vulnerable data subjects. This also is true when talking about consent and choice in combination with HR data processing. The fact that you can not use consent freely in those cases seems to imply you need to think about it a bit more with a DPIA.
  • comment Robert Gilbert • Sep 14, 2017
    I am curious to know if DPOs should write DPIAs for their organizations, or would this represent some sort of conflict of interest for the DPO? My instinct is that it would be a conflict, but I can't quite explain how. Anyway, very interested to hear any thoughts on this.