# DPIA Guidance - country by country This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a **Data Protection Impact Assessment (DPIA)** is required. The list is organised by country. ## Europe ### United Kingdom (UK) **Supervisory Authority:** Information Commissioner’s Office (ICO)\ **Key Guidance:** * **When is a DPIA required?**\ [DPIA Guidance – ICO](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/)\ Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data). * **Examples of likely high-risk processing:**\ [High Risk Processing Examples – ICO](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/) ### Ireland **Supervisory Authority:** Data Protection Commission (DPC)\ **Key Guidance:** * **List of processing operations requiring a DPIA:**\ [DPC DPIA Blacklist (PDF)](https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Data-Protection-Impact-Assessment.pdf)\ Includes processing activities involving systematic monitoring, special category data, or large-scale profiling. * **General DPIA Guidance:**\ [DPIA Guidance – DPC](https://www.dataprotection.ie/en/dpc-guidance/guide-data-protection-impact-assessments) ### France **Supervisory Authority:** CNIL * [Liste des traitements nécessitant une AIPD (DPIA)](https://www.cnil.fr/fr/listes-des-traitements-pour-lesquels-une-aipd-est-requise-ou-non) * [Liste des traitements exemptés (PDF)](https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-non-requise.pdf) * [DPIA Framework & Guide – CNIL](https://www.cnil.fr/en/guidelines-dpia) ### Germany **Supervisory Authority:** Each German state has its own DPA (e.g. **BfDI** at federal level). * [Federal DPIA Criteria (BfDI)](https://www.bfdi.bund.de/DE/Fachthemen/Inhalte/Technik/Datenschutz-Folgenabschaetzungen.html#:~:text=Eine%20Datenschutz%2DFolgenabsch%C3%A4tzung%20\(%20DSFA%20\),nat%C3%BCrlicher%20Personen%20zur%20Folge%20hat.) * [List of processing operations pursuant to Article 35(4) GDPR for processing activities carried out by federal public bodies](https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Liste_VerarbeitungsvorgaengeArt35.pdf?__blob=publicationFile\&v=7) * [List of processing activities for which a DSFA must be carried out (DSK)](https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Liste_VerarbeitungsvorgaengeDSK.pdf?__blob=publicationFile\&v=7) * By Land * [List of processing activities requiring DPIA (Baden-Württemberg DPA)](https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2018/05/Liste-von-Verarbeitungsvorg%C3%A4ngen-nach-Art.-35-Abs.-4-DS-GVO-LfDI-BW.pdf) (in German) * [Data protection impact assessment – Bavarian blacklist (in German)](https://www.datenschutz-bayern.de/nav/1801.html) > 🛑 DPIA criteria vary slightly by **Land** (state) due to Germany’s federal structure. ### Spain **Supervisory Authority:** Agencia Española de Protección de Datos (AEPD) * [AEPD – Guide for DPIAs (in Spanish)](https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/analisis-de-riesgos-evaluacion-de-impacto-la-aepd-presenta) * [AEPD – List of types of data processing operations requiring an data protection impact assessment (article 35(4)) (PDF)](https://www.aepd.es/documento/listas-dpia-es-35-4.pdf) * [AEPD - list of processing operations that do not require an impact assessment](https://www.aepd.es/documento/listadpia-35-5-ingles.pdf) * [AEPD - report template to help companies conduct data protection impact assessments](https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-aepd-publica-un-modelo-de-informe-para-ayudar-las-empresas) ### Netherlands **Supervisory Authority:** Autoriteit Persoonsgegevens (AP) * [DPIA Guidance - AP](https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gdpr/gdpr-in-practice/data-protection-impact-assessment-dpia) * [list of types of processing operations for which carrying out a DPIA is mandatory before you start processing - AP (in Dutch)](https://wetten.overheid.nl/BWBR0042812/2019-11-27) ### Belgium **Supervisory Authority:** Autorité de protection des données (APD) * [APD – DPIA Guidance (in French)](https://www.autoriteprotectiondonnees.be/professionnel/rgpd-/analyse-d-impact-relative-a-la-protection-des-donnees) * [List of categories of processing subject to a data protection impact assessment (PDF) (in French)](https://www.autoriteprotectiondonnees.be/publications/decision-n-01-2019-du-16-janvier-2019.pdf) * [APD - DPIA Guidance (in Dutch)](https://www.gegevensbeschermingsautoriteit.be/professioneel/avg/effectbeoordeling-geb) * [List of categories of processing subject to a data protection impact assessment (PDF) (in Dutch)](https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf) * [GEB/DPIA VTC criteria list (in Dutch)](#user-content-fn-1)[^1] ### Italy **Supervisory Authority:** Garante per la Protezione dei Dati Personali (GPDP) * [GPDP – DPIA Guidance Page](https://www.garanteprivacy.it/valutazione-d-impatto-della-protezione-dei-dati-dpia-) * [List of types of processing subject to the requirement of a data protection impact assessment](https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9058979) ### Sweden **Supervisory Authority:** Integritetsskyddsmyndigheten (IMY) * [When should an impact assessment be carried out? - IMY](https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/konsekvensbedomning/nar-ska-en-konsekvensbedomning-genomforas/#:~:text=Exemplen%20som%20ges%20i%20artikel%2035.3%20i%20GDPR\&text=Behandling%20i%20stor%20omfattning%20av,allm%C3%A4n%20plats%20i%20stor%20omfattning.) * [Guidance on impact assessment - A practical guide (PDF) (In Swedish)](https://www.imy.se/globalassets/dokument/vagledningar/en-praktisk-guide.pdf) * [IMY's list of processing operations types that are covered by the requirement for an impact assessment (PDF) (in Swedish)](https://www.imy.se/globalassets/dokument/ovrigt/forteckning---konsekvensbedomningar.pdf) ### Denmark **Supervisory Authority:** Datatilsynet * [DPIA Guidance – Datatilsynet](https://www.datatilsynet.dk/regler-og-vejledning/behandlingssikkerhed/konsekvensanalyse) * [Guidance on impact assessments (PDF) (in Danish)](https://www.datatilsynet.dk/Media/2/6/Konsekvensanalyse.pdf) * [Datatilsynet's list of processing operations that are always subject to the requirement for an impact assessment (PDF) (in Danish)](https://www.datatilsynet.dk/Media/4/1/Datatilsynets%20liste%20over%20behandlinger%20der%20altid%20er%20underlagt%20kravet%20om%20en%20konsekvensanalyse%20\(2\).pdf) * [Datatilsynet's list of processing activities subject to the requirement for prior consultation with the supervisory authority pursuant to section 26 of the Law Enforcement Act](https://www.datatilsynet.dk/Media/638423966496872688/Liste%20efter%20retsh%C3%A5ndh%C3%A6velseslovens%20%C2%A7%2026,%20stk.%203.pdf) ### Finland **Supervisory Authority:** Office of the Data Protection Ombudsman * [DPIA Guidance (in Finnish)](https://tietosuoja.fi/vaikutustenarviointi) * [List of DPIA-requiring processing (in Finnish)](https://tietosuoja.fi/luettelo-vaikutustenarviointia-edellyttavista-kasittelytoimista) ### Austria **Supervisory Authority:** Datenschutzbehörde (DSB) * [DPIA Guidance – WKO (in German)](https://ratgeber.wko.at/dsfa/) * [List of processing operations requiring a DPIA – DSB (PDF)](https://www.ris.bka.gv.at/eli/bgbl/II/2018/278/20181109) * [Exceptions to the data protection impact assessment (DPIA) - DSB (PDF)](https://www.ris.bka.gv.at/eli/bgbl/II/2018/108/20180525) ### Czech Republic **Supervisory Authority:** Úřad pro ochranu osobních údajů (UOOU) * [DPIA Guidance - UOOU (in Czech)](https://uoou.gov.cz/profesional/metodiky-a-doporuceni-pro-spravce/posouzeni-vlivu-na-ochranu-osobnich-udaju) * [General Data Protection Impact Assessment Methodology (PDF document) – UOOU (in Czech)](https://uoou.gov.cz/media/profesional/metodika-obecneho-posouzeni-vlivu-na-ochranu-osobnich-udaju.pdf) * [List of types of processing operations (not) subject to the requirement for a Data Protection Impact Assessment (DPIA) (PDF document) - UOOU (in Czech)](https://uoou.gov.cz/media/profesional/seznam-operaci-zpracovani-nepodlehajicich-pozadavku-na-dpia.pdf) ### Poland **Supervisory Authority:** Urząd Ochrony Danych Osobowych (UODO) * [DPIA Guidance – UODO (in Polish)](https://uodo.gov.pl/pl/598/3617?mkt_tok=MTM4LUVaTS0wNDIAAAGZm5Te7KF5c_87ovOvFSvFlk8TT1HkKjhhYeegH3TbE8QJRvBLS2CpCfzokPMEBeuc49OMBxEHR-wUHla56YileVIl8xBAGkhX55NXHMT_LCc8) * [List of types of personal data processing operations requiring an assessment of the impact of processing on the protection of personal data – UODO (in Polish)](https://monitorpolski.gov.pl/MP/2019/666) * [Conference video "Risk assessment and personal data protection" - UODO (in Polish)](https://uodo.gov.pl/pl/138/3507) ### Portugal **Supervisory Authority:** Comissão Nacional de Proteção de Dados (CNPD) * [DPIA Guidance – CNPD (in Portuguese)](https://www.cnpd.pt/organizacoes/outras-obrigacoes/avaliacao-de-impacto/) * [List of processing operations types requiring a DPIA (PDF)](https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121818) - CNPD ### Croatia **Supervisory Authority:** Agencija za zaštitu osobnih podataka (AZOP) * [DPIA Guidance – AZOP (in Croatian)](https://azop.hr/provodenje-procjene-ucinka-na-zastitu-podataka-dpia-postupci-obrade-koji-predstavljaju-mogucnost-visokog-rizika/) * [List of types of processing operations subject to the requirement for a data protection impact assessment - AZOP (in Croatian)](https://azop.hr/odluka-o-uspostavi-i-javnoj-objavi-popisa-vrsta-postupaka-obrade-koje-podlijezu-zahtjevu-za-procjenu-ucinka-na-zastitu-podataka/) ### Slovakia **Supervisory Authority:** Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR) * [List of processing operations subject to impact assessment on the protection of personal data of the Slovak Republic - UOOU SR (PDF) (in Slovakian)](https://dataprotection.gov.sk/files/metod-urad/3/zoznam_spracovatelskych_operacii_ktore_podliehaju_posudeniu_vplyvu.pdf) * [DPIA Guidelines - UOOU SR (in Slovakian)](https://dataprotection.gov.sk/sk/aktuality/zoznam-spracovatelskych-operacii-ktore-podliehaju-poziadavke-posudenie-vplyvu.html) ### Hungary **Supervisory Authority:** Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) * [DPIA Guidance – NAIH (in Hungarian)](https://www.naih.hu/az-adatvedelmi-hatasvizsgalat-es-elozetes-konzultacioja) * [List of processing operations subject to impact assessment - NAIH (in Hungarian)](https://www.naih.hu/hatasvizsgalati-lista) ### Romania **Supervisory Authority:** Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) * [List of processing operations subject to impact assessment - ANSPDCP (PDF) (in Romanian)](https://www.dataprotection.ro/servlet/ViewDocument?id=1556) * [Decision no. 174 of the 18th of October 2018 on the list of kind of processing operations which are subject to the requirement for a data protection impact assessment (PDF) (in English)](https://www.dataprotection.ro/servlet/ViewDocument?id=1870) ### Bulgaria **Supervisory Authority:** Commission for Personal Data Protection (CPDP) * [List of types of personal data processing operations for which an assessment of the impact on data protection is required (in Bulgarian)](https://cpdp.bg/home-default/%D0%BD%D0%B0%D1%81%D0%BE%D0%BA%D0%B8/%D1%81%D0%BF%D0%B8%D1%81%D1%8A%D0%BA-%D0%BD%D0%B0-%D0%B2%D0%B8%D0%B4%D0%BE%D0%B2%D0%B5%D1%82%D0%B5-%D0%BE%D0%BF%D0%B5%D1%80%D0%B0%D1%86%D0%B8%D0%B8-%D0%BF%D0%BE-%D0%BE%D0%B1%D1%80%D0%B0%D0%B1%D0%BE/) #### 🇱🇹 Lithuania **Supervisory Authority:** Valstybinė duomenų apsaugos inspekcija (VDAI) * [List of data processing operations subject to data protection impact assessment - VDAI (PDF) (in Luthuanian)](https://vdai.lrv.lt/uploads/vdai/documents/files/06%20Poveikio%20duomen%C5%B3%20apsaugai%20vertinimas%202019-03-18.pdf) #### 🇱🇻 Latvia **Supervisory Authority:** Datu valsts inspekcija (DVI) * [Types of processing activities for which a data protection impact assessment must be carried out – DVI (in Latvian)](https://www.dvi.gov.lv/lv/media/92/download?attachment) ## Luxembourg **Supervisory Authority:** Commission Nationale pour la Protection des Données (CNPD) * [DPIA Guidance – CNPD](https://cnpd.public.lu/fr/professionnels/obligations/AIPD.html) * [List of processing operations requiring a DPIA – CNPD (in French)](https://cnpd.public.lu/fr/professionnels/obligations/AIPD/liste-dpia.html) * [DPIA infography - CNPD](https://cnpd.public.lu/dam-assets/fr/professionnels/aipd/Infographie-AIPD.pdf) ### Grèce **Supervisory Authority:** Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα * [DPIA Guidelines – HDPA](https://www.dpa.gr/el/foreis/ektimisi_adiktipou_kai_diavouleush/ektimisi_adiktipou) * [List of processing operations requiring a DPIA (Blacklist) – HDPA (PDF, English)](https://doc.dastra.eu/nl/) ### Switzerland **Supervisory Authority:** Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT) Although Switzerland is not part of the EU, it has **DPIA-equivalent requirements** under its revised Federal Act on Data Protection (FADP, 2023): * [Checklist for data protection impact assessments (DPIA) pursuant to Articles 22 and 23 of the Data Protection Act (DPA)](https://backend.edoeb.admin.ch/fileservice/sdweb-docs-prod-edoebch-files/files/2024/11/05/eb84f377-103e-4e7f-9896-62ec970f2290.pdf) * [Guide to implementing DPIA](https://www.bj.admin.ch/bj/fr/home/staat/datenschutz/info-bundesbehoerden.html) > ✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR. [^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/other/dpia-guidance-country-by-country.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.