List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA)

Updated 21.12.2018

Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons.

Article 35 (3) GDPR provides a non-exhaustive list of types of processing that require a DPIA.

According to General Data Protection Regulation article 35(4) GDPR the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA.

Nature of the list

This list is not exhaustive.

Reference to the guidelines

This list of processing operation which require DPIA is further specifying article 35.1 in General Data Protection Regulation. List is based on the of Working Party 29 WP 248 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether pro-cessing is "likely to result in a high risk" for the purposes of Regulation 2016/679. This list complements and further specifies these guidelines.

The Finnish Data Protection Ombudsman requires DPIA in following processing activities:

Biometric data

Without prejudice to article 35(3) GDPR, DPIA must be done when biometric data is processed for the purpose of uniquely identifying a natural person in conjunction with at least one other following criteria:

  • biometric data is processed for evaluation or scoring of the data subject
  • processing of biometric data is aims automated-decision making with legal or similar significant effect
  • processing of biometric data is used systematic monitoring of data subjects
  • biometric data is processed on a large scale
  • processing of biometric data includes matching or combining datasets
  • processed biometric data is concerning vulnerable data subjects
  • biometric data is processed in innovative use or applying new technological or organizational solutions
  • processing of biometric data prevents data subjects from exercising a right or using a service or a contract

Genetic data

Without prejudice to article 35(3) GDPR, DPIA must be done when genetic data is processed in conjunction with at least one other following criteria:

  • genetic data is processed for evaluation or scoring of the data subject
  • processing of genetic data is aims automated-decision making with legal or similar significant effect
  • processing of genetic data is used systematic monitoring of data subjects
  • genetic data is processed on a large scale
  • processing of genetic data includes matching or combining datasets
  • processed genetic data is concerning vulnerable data subjects
  • genetic data is processed in innovative use or applying new technological or organizational solutions
  • processing of genetic data prevents data subjects from exercising a right or using a service or a contract

Location data

DPIA must be done when location data is processed in conjunction with at least one other following criteria:

  • location data is processed for evaluation or scoring of the data subject
  • processing of location data is aims automated-decision making with legal or similar significant effect
  • processing of location data is used systematic monitoring of data subjects
  • location data processed reveals sensitive data or data of a highly personal nature
  • location data is processed on a large scale
  • processing of location data includes matching or combining datasets
  • processed location data is concerning vulnerable data subjects
  • location data is processed in innovative use or applying new technological or organizational solutions
  • processing of location data prevents data subjects from exercising a right or using a service or a contract

Exceptions to information to be provided to the data subject according to article 14.5 gdpr

DPIA must be done when personal data is collected personal data from a source other than the individual without providing them with a privacy notice because of application of article 14 5 b GDPRin conjunction with at least one other following criteria:

  • personal data is processed for evaluation or scoring of the data subject
  • processing of personal data aims automated-decision making with legal or similar significant effect
  • processing of personal data is used systematic monitoring of data subjects
  • sensitive personal data or data of a highly personal nature is processed
  • personal data is processed on a large scale
  • processing of personal data includes matching or combining datasets
  • processed personal data is concerning vulnerable data subjects
  • personal data is processed in innovative use or applying new technological or organizational solutions
  • processing of location data prevents data subjects from exercising a right or using a service or a contract

Processing of personal data in whistleblower systems

Whistleblowing systems give organisations’ staff or other parties an opportunity to report unethical conduct, practices that are contrary to the organisation’s values or internal infringements anonymously. Whistleblowing systems can be used, for example, to ensure that the principles of an organisation’s decision-making and supervision system are followed in its daily administration.