DPIA Guidance - country by country

Guidance on data processing activities requiring a DPIA.

This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.

Europe

United Kingdom (UK)

Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:

Ireland

Supervisory Authority: Data Protection Commission (DPC) Key Guidance:

  • List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.

  • General DPIA Guidance: DPIA Guidance – DPC

France

Supervisory Authority: CNIL

Germany

Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).

🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.

Spain

Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

Netherlands

Supervisory Authority: Autoriteit Persoonsgegevens (AP)

Belgium

Supervisory Authority: Autorité de protection des données (APD)

Italy

Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)

Sweden

Supervisory Authority: Integritetsskyddsmyndigheten (IMY)

Denmark

Supervisory Authority: Datatilsynet

Finland

Supervisory Authority: Office of the Data Protection Ombudsman

Austria

Supervisory Authority: Datenschutzbehörde (DSB)

Czech Republic

Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)

Poland

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)

Portugal

Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)

Croatia

Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)

Slovakia

Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)

Hungary

Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

Romania

Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

Bulgaria

Supervisory Authority: Commission for Personal Data Protection (CPDP)

🇱🇹 Lithuania

Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)

🇱🇻 Latvia

Supervisory Authority: Datu valsts inspekcija (DVI)

Luxembourg

Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)

Grèce

Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

Switzerland

Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)

Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):

✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.

Last updated

Was this helpful?