# DPIA Guidance - country by country This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a **Data Protection Impact Assessment (DPIA)** is required. The list is organised by country. ## Europe ### United Kingdom (UK) **Supervisory Authority:** Information Commissioner’s Office (ICO)\ **Key Guidance:** * **When is a DPIA required?**\ [DPIA Guidance – ICO](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/)\ Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data). * **Examples of likely high-risk processing:**\ [High Risk Processing Examples – ICO](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/) ### Ireland **Supervisory Authority:** Data Protection Commission (DPC)\ **Key Guidance:** * **List of processing operations requiring a DPIA:**\ [DPC DPIA Blacklist (PDF)](https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Data-Protection-Impact-Assessment.pdf)\ Includes processing activities involving systematic monitoring, special category data, or large-scale profiling. * **General DPIA Guidance:**\ [DPIA Guidance – DPC](https://www.dataprotection.ie/en/dpc-guidance/guide-data-protection-impact-assessments) ### France **Supervisory Authority:** CNIL * [Liste des traitements nécessitant une AIPD (DPIA)](https://www.cnil.fr/fr/listes-des-traitements-pour-lesquels-une-aipd-est-requise-ou-non) * [Liste des traitements exemptés (PDF)](https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-non-requise.pdf) * [DPIA Framework & Guide – CNIL](https://www.cnil.fr/en/guidelines-dpia) ### Germany **Supervisory Authority:** Each German state has its own DPA (e.g. **BfDI** at federal level). * [Federal DPIA Criteria (BfDI)](https://www.bfdi.bund.de/DE/Fachthemen/Inhalte/Technik/Datenschutz-Folgenabschaetzungen.html) * [List of processing operations pursuant to Article 35(4) GDPR for processing activities carried out by federal public bodies](https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Liste_VerarbeitungsvorgaengeArt35.pdf?__blob=publicationFile\&v=7) * [List of processing activities for which a DSFA must be carried out (DSK)](https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Liste_VerarbeitungsvorgaengeDSK.pdf?__blob=publicationFile\&v=7) * By Land * [List of processing activities requiring DPIA (Baden-Württemberg DPA)](https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2018/05/Liste-von-Verarbeitungsvorg%C3%A4ngen-nach-Art.-35-Abs.-4-DS-GVO-LfDI-BW.pdf) (in German) * [Data protection impact assessment – Bavarian blacklist (in German)](https://www.datenschutz-bayern.de/nav/1801.html) > 🛑 DPIA criteria vary slightly by **Land** (state) due to Germany’s federal structure. ### Spain **Supervisory Authority:** Agencia Española de Protección de Datos (AEPD) * [AEPD – Guide for DPIAs (in Spanish)](https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/analisis-de-riesgos-evaluacion-de-impacto-la-aepd-presenta) * [AEPD – List of types of data processing operations requiring an data protection impact assessment (article 35(4)) (PDF)](https://www.aepd.es/documento/listas-dpia-es-35-4.pdf) * [AEPD - list of processing operations that do not require an impact assessment](https://www.aepd.es/documento/listadpia-35-5-ingles.pdf) * [AEPD - report template to help companies conduct data protection impact assessments](https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-aepd-publica-un-modelo-de-informe-para-ayudar-las-empresas) ### Netherlands **Supervisory Authority:** Autoriteit Persoonsgegevens (AP) * [DPIA Guidance - AP](https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gdpr/gdpr-in-practice/data-protection-impact-assessment-dpia) * [list of types of processing operations for which carrying out a DPIA is mandatory before you start processing - AP (in Dutch)](https://wetten.overheid.nl/BWBR0042812/2019-11-27) ### Belgium **Supervisory Authority:** Autorité de protection des données (APD) * [APD – DPIA Guidance (in French)](https://www.autoriteprotectiondonnees.be/professionnel/rgpd-/analyse-d-impact-relative-a-la-protection-des-donnees) * [List of categories of processing subject to a data protection impact assessment (PDF) (in French)](https://www.autoriteprotectiondonnees.be/publications/decision-n-01-2019-du-16-janvier-2019.pdf) * [APD - DPIA Guidance (in Dutch)](https://www.gegevensbeschermingsautoriteit.be/professioneel/avg/effectbeoordeling-geb) * [List of categories of processing subject to a data protection impact assessment (PDF) (in Dutch)](https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf) * [GEB/DPIA VTC criteria list (in Dutch)](#user-content-fn-1)[^1] ### Italy **Supervisory Authority:** Garante per la Protezione dei Dati Personali (GPDP) * [GPDP – DPIA Guidance Page](https://www.garanteprivacy.it/valutazione-d-impatto-della-protezione-dei-dati-dpia-) * [List of types of processing subject to the requirement of a data protection impact assessment](https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9058979) ### Sweden **Supervisory Authority:** Integritetsskyddsmyndigheten (IMY) * [When should an impact assessment be carried out? - IMY](https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/konsekvensbedomning/nar-ska-en-konsekvensbedomning-genomforas/) * [Guidance on impact assessment - A practical guide (PDF) (In Swedish)](https://www.imy.se/globalassets/dokument/vagledningar/en-praktisk-guide.pdf) * [IMY's list of processing operations types that are covered by the requirement for an impact assessment (PDF) (in Swedish)](https://www.imy.se/globalassets/dokument/ovrigt/forteckning---konsekvensbedomningar.pdf) ### Denmark **Supervisory Authority:** Datatilsynet * [DPIA Guidance – Datatilsynet](https://www.datatilsynet.dk/regler-og-vejledning/behandlingssikkerhed/konsekvensanalyse) * [Guidance on impact assessments (PDF) (in Danish)](https://www.datatilsynet.dk/Media/2/6/Konsekvensanalyse.pdf) * [Datatilsynet's list of processing operations that are always subject to the requirement for an impact assessment (PDF) (in Danish)](https://www.datatilsynet.dk/Media/4/1/Datatilsynets%20liste%20over%20behandlinger%20der%20altid%20er%20underlagt%20kravet%20om%20en%20konsekvensanalyse%20\(2\).pdf) * [Datatilsynet's list of processing activities subject to the requirement for prior consultation with the supervisory authority pursuant to section 26 of the Law Enforcement Act](https://www.datatilsynet.dk/Media/638423966496872688/Liste%20efter%20retsh%C3%A5ndh%C3%A6velseslovens%20%C2%A7%2026,%20stk.%203.pdf) ### Finland **Supervisory Authority:** Office of the Data Protection Ombudsman * [DPIA Guidance (in Finnish)](https://tietosuoja.fi/vaikutustenarviointi) * [List of DPIA-requiring processing (in Finnish)](https://tietosuoja.fi/luettelo-vaikutustenarviointia-edellyttavista-kasittelytoimista) ### Austria **Supervisory Authority:** Datenschutzbehörde (DSB) * [DPIA Guidance – WKO (in German)](https://ratgeber.wko.at/dsfa/) * [List of processing operations requiring a DPIA – DSB (PDF)](https://www.ris.bka.gv.at/eli/bgbl/II/2018/278/20181109) * [Exceptions to the data protection impact assessment (DPIA) - DSB (PDF)](https://www.ris.bka.gv.at/eli/bgbl/II/2018/108/20180525) ### Czech Republic **Supervisory Authority:** Úřad pro ochranu osobních údajů (UOOU) * [DPIA Guidance - UOOU (in Czech)](https://uoou.gov.cz/profesional/metodiky-a-doporuceni-pro-spravce/posouzeni-vlivu-na-ochranu-osobnich-udaju) * [General Data Protection Impact Assessment Methodology (PDF document) – UOOU (in Czech)](https://uoou.gov.cz/media/profesional/metodika-obecneho-posouzeni-vlivu-na-ochranu-osobnich-udaju.pdf) * [List of types of processing operations (not) subject to the requirement for a Data Protection Impact Assessment (DPIA) (PDF document) - UOOU (in Czech)](https://uoou.gov.cz/media/profesional/seznam-operaci-zpracovani-nepodlehajicich-pozadavku-na-dpia.pdf) ### Poland **Supervisory Authority:** Urząd Ochrony Danych Osobowych (UODO) * [DPIA Guidance – UODO (in Polish)](https://uodo.gov.pl/pl/598/3617?mkt_tok=MTM4LUVaTS0wNDIAAAGZm5Te7KF5c_87ovOvFSvFlk8TT1HkKjhhYeegH3TbE8QJRvBLS2CpCfzokPMEBeuc49OMBxEHR-wUHla56YileVIl8xBAGkhX55NXHMT_LCc8) * [List of types of personal data processing operations requiring an assessment of the impact of processing on the protection of personal data – UODO (in Polish)](https://monitorpolski.gov.pl/MP/2019/666) * [Conference video "Risk assessment and personal data protection" - UODO (in Polish)](https://uodo.gov.pl/pl/138/3507) ### Portugal **Supervisory Authority:** Comissão Nacional de Proteção de Dados (CNPD) * [DPIA Guidance – CNPD (in Portuguese)](https://www.cnpd.pt/organizacoes/outras-obrigacoes/avaliacao-de-impacto/) * [List of processing operations types requiring a DPIA (PDF)](https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121818) - CNPD ### Croatia **Supervisory Authority:** Agencija za zaštitu osobnih podataka (AZOP) * [DPIA Guidance – AZOP (in Croatian)](https://azop.hr/provodenje-procjene-ucinka-na-zastitu-podataka-dpia-postupci-obrade-koji-predstavljaju-mogucnost-visokog-rizika/) * [List of types of processing operations subject to the requirement for a data protection impact assessment - AZOP (in Croatian)](https://azop.hr/odluka-o-uspostavi-i-javnoj-objavi-popisa-vrsta-postupaka-obrade-koje-podlijezu-zahtjevu-za-procjenu-ucinka-na-zastitu-podataka/) ### Slovakia **Supervisory Authority:** Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR) * [List of processing operations subject to impact assessment on the protection of personal data of the Slovak Republic - UOOU SR (PDF) (in Slovakian)](https://dataprotection.gov.sk/files/metod-urad/3/zoznam_spracovatelskych_operacii_ktore_podliehaju_posudeniu_vplyvu.pdf) * [DPIA Guidelines - UOOU SR (in Slovakian)](https://dataprotection.gov.sk/sk/aktuality/zoznam-spracovatelskych-operacii-ktore-podliehaju-poziadavke-posudenie-vplyvu.html) ### Hungary **Supervisory Authority:** Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) * [DPIA Guidance – NAIH (in Hungarian)](https://www.naih.hu/az-adatvedelmi-hatasvizsgalat-es-elozetes-konzultacioja) * [List of processing operations subject to impact assessment - NAIH (in Hungarian)](https://www.naih.hu/hatasvizsgalati-lista) ### Romania **Supervisory Authority:** Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) * [List of processing operations subject to impact assessment - ANSPDCP (PDF) (in Romanian)](https://www.dataprotection.ro/servlet/ViewDocument?id=1556) * [Decision no. 174 of the 18th of October 2018 on the list of kind of processing operations which are subject to the requirement for a data protection impact assessment (PDF) (in English)](https://www.dataprotection.ro/servlet/ViewDocument?id=1870) ### Bulgaria **Supervisory Authority:** Commission for Personal Data Protection (CPDP) * [List of types of personal data processing operations for which an assessment of the impact on data protection is required (in Bulgarian)](https://cpdp.bg/home-default/%D0%BD%D0%B0%D1%81%D0%BE%D0%BA%D0%B8/%D1%81%D0%BF%D0%B8%D1%81%D1%8A%D0%BA-%D0%BD%D0%B0-%D0%B2%D0%B8%D0%B4%D0%BE%D0%B2%D0%B5%D1%82%D0%B5-%D0%BE%D0%BF%D0%B5%D1%80%D0%B0%D1%86%D0%B8%D0%B8-%D0%BF%D0%BE-%D0%BE%D0%B1%D1%80%D0%B0%D0%B1%D0%BE/) #### 🇱🇹 Lithuania **Supervisory Authority:** Valstybinė duomenų apsaugos inspekcija (VDAI) * [List of data processing operations subject to data protection impact assessment - VDAI (PDF) (in Luthuanian)](https://vdai.lrv.lt/uploads/vdai/documents/files/06%20Poveikio%20duomen%C5%B3%20apsaugai%20vertinimas%202019-03-18.pdf) #### 🇱🇻 Latvia **Supervisory Authority:** Datu valsts inspekcija (DVI) * [Types of processing activities for which a data protection impact assessment must be carried out – DVI (in Latvian)](https://www.dvi.gov.lv/lv/media/92/download?attachment) ## Luxembourg **Supervisory Authority:** Commission Nationale pour la Protection des Données (CNPD) * [DPIA Guidance – CNPD](https://cnpd.public.lu/fr/professionnels/obligations/AIPD.html) * [List of processing operations requiring a DPIA – CNPD (in French)](https://cnpd.public.lu/fr/professionnels/obligations/AIPD/liste-dpia.html) * [DPIA infography - CNPD](https://cnpd.public.lu/dam-assets/fr/professionnels/aipd/Infographie-AIPD.pdf) ### Grèce **Supervisory Authority:** Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα * [DPIA Guidelines – HDPA](https://www.dpa.gr/el/foreis/ektimisi_adiktipou_kai_diavouleush/ektimisi_adiktipou) * [List of processing operations requiring a DPIA (Blacklist) – HDPA (PDF, English)](https://app.gitbook.com/o/uWrGLDLDipyYq3GpIuW2/s/1i0NSpf8ID0PXTpIyycA/) ### Switzerland **Supervisory Authority:** Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT) Although Switzerland is not part of the EU, it has **DPIA-equivalent requirements** under its revised Federal Act on Data Protection (FADP, 2023): * [Checklist for data protection impact assessments (DPIA) pursuant to Articles 22 and 23 of the Data Protection Act (DPA)](https://backend.edoeb.admin.ch/fileservice/sdweb-docs-prod-edoebch-files/files/2024/11/05/eb84f377-103e-4e7f-9896-62ec970f2290.pdf) * [Guide to implementing DPIA](https://www.bj.admin.ch/bj/fr/home/staat/datenschutz/info-bundesbehoerden.html) > ✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR. [^1]: