DPIA Guidance - country by country

This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.

Europe

United Kingdom (UK)

Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:

• When is a DPIA required? DPIA Guidance – ICO Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data).

• Examples of likely high-risk processing: High Risk Processing Examples – ICO

Ireland

Supervisory Authority: Data Protection Commission (DPC) Key Guidance:

• List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.

• General DPIA Guidance: DPIA Guidance – DPC

France

Supervisory Authority: CNIL

• Liste des traitements nécessitant une AIPD (DPIA)

• Liste des traitements exemptés (PDF)

• DPIA Framework & Guide – CNIL

Germany

Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).

• Federal DPIA Criteria (BfDI)

  • List of processing operations pursuant to Article 35(4) GDPR for processing activities carried out by federal public bodies

  • List of processing activities for which a DSFA must be carried out (DSK)

• By Land

  • List of processing activities requiring DPIA (Baden-Württemberg DPA) (in German)

  • Data protection impact assessment – Bavarian blacklist (in German)

🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.

Spain

Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

• AEPD – Guide for DPIAs (in Spanish)

• AEPD – List of types of data processing operations requiring an data protection impact assessment (article 35(4)) (PDF)

• AEPD - list of processing operations that do not require an impact assessment

• AEPD - report template to help companies conduct data protection impact assessments

Netherlands

Supervisory Authority: Autoriteit Persoonsgegevens (AP)

• DPIA Guidance - AP

• list of types of processing operations for which carrying out a DPIA is mandatory before you start processing - AP (in Dutch)

Belgium

Supervisory Authority: Autorité de protection des données (APD)

• APD – DPIA Guidance (in French)

• List of categories of processing subject to a data protection impact assessment (PDF) (in French)

• APD - DPIA Guidance (in Dutch)

• List of categories of processing subject to a data protection impact assessment (PDF) (in Dutch)

• GEB/DPIA VTC criteria list (in Dutch)

Italy

Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)

• GPDP – DPIA Guidance Page

• List of types of processing subject to the requirement of a data protection impact assessment

Sweden

Supervisory Authority: Integritetsskyddsmyndigheten (IMY)

• When should an impact assessment be carried out? - IMY

• Guidance on impact assessment - A practical guide (PDF) (In Swedish)

• IMY's list of processing operations types that are covered by the requirement for an impact assessment (PDF) (in Swedish)

Denmark

Supervisory Authority: Datatilsynet

• DPIA Guidance – Datatilsynet

• Guidance on impact assessments (PDF) (in Danish)

• Datatilsynet's list of processing operations that are always subject to the requirement for an impact assessment (PDF) (in Danish)

• Datatilsynet's list of processing activities subject to the requirement for prior consultation with the supervisory authority pursuant to section 26 of the Law Enforcement Act

Finland

Supervisory Authority: Office of the Data Protection Ombudsman

• DPIA Guidance (in Finnish)

• List of DPIA-requiring processing (in Finnish)

Austria

Supervisory Authority: Datenschutzbehörde (DSB)

• DPIA Guidance – WKO (in German)

• List of processing operations requiring a DPIA – DSB (PDF)

• Exceptions to the data protection impact assessment (DPIA) - DSB (PDF)

Czech Republic

Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)

• DPIA Guidance - UOOU (in Czech)

• General Data Protection Impact Assessment Methodology (PDF document) – UOOU (in Czech)

• List of types of processing operations (not) subject to the requirement for a Data Protection Impact Assessment (DPIA) (PDF document) - UOOU (in Czech)

Poland

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)

• DPIA Guidance – UODO (in Polish)

• List of types of personal data processing operations requiring an assessment of the impact of processing on the protection of personal data – UODO (in Polish)

• Conference video "Risk assessment and personal data protection" - UODO (in Polish)

Portugal

Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)

• DPIA Guidance – CNPD (in Portuguese)

• List of processing operations types requiring a DPIA (PDF) - CNPD

🇭🇷 Croatia

Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)

• DPIA Guidance – AZOP (in Croatian)

• Support material for conducting a DPIA – AZOP

🇸🇰 Slovakia

Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)

• DPIA Guidance – UOOU SR (in Slovak)

• Examples of high-risk processing activities

🇭🇺 Hungary

Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

• DPIA Guidance – NAIH (in Hungarian)

• DPIA-related chapter: pages 89 to 97

🇷🇴 Romania

Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

• DPIA Guidance – ANSPDCP (in Romanian)

• DPIA Q&A – ANSPDCP

🇧🇬 Bulgaria

Supervisory Authority: Commission for Personal Data Protection (CPDP)

• DPIA Guidelines – CPDP (in Bulgarian)

• DPIA Template Form – CPDP

🇱🇹 Lithuania

Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)

• DPIA Guidance – VDAI (in Lithuanian)

🇱🇻 Latvia

Supervisory Authority: Datu valsts inspekcija (DVI)

• DPIA Guidance – DVI (in Latvian)

🇱🇺 Luxembourg

Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)

• DPIA Guidance – CNPD

• List of processing operations requiring a DPIA – CNPD (PDF)

• FAQ DPIA – CNPD

🇬🇷 Greece

Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

• DPIA Guidance (in Greek): DPIA Guidelines – HDPA Published under Decision No. 65/2018, includes interpretation of GDPR Article 35 in the Greek legal context.

• List of processing operations requiring a DPIA (Blacklist): DPIA Blacklist – HDPA (PDF, Greek) Covers high-risk scenarios including biometric processing, large-scale surveillance, and automated decision-making.

• DPIA Template (in Greek): DPIA Report Template – HDPA (DOCX) Offers a structured document to support compliance and impact analysis under Greek law.

🇨🇭 Switzerland

Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)

Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):

• Data Protection Impact Assessment – FDPIC

• Guide on DPIA under revised Swiss FADP

✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.