DPIA Guidance - country by country
Guidance on data processing activities requiring a DPIA.
This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.
Europe
United Kingdom (UK)
Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:
When is a DPIA required? DPIA Guidance – ICO Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data).
Examples of likely high-risk processing: High Risk Processing Examples – ICO
Ireland
Supervisory Authority: Data Protection Commission (DPC) Key Guidance:
List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.
General DPIA Guidance: DPIA Guidance – DPC
France
Supervisory Authority: CNIL
Germany
Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).
🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.
Spain
Supervisory Authority: Agencia Española de Protección de Datos (AEPD)
Netherlands
Supervisory Authority: Autoriteit Persoonsgegevens (AP)
Belgium
Supervisory Authority: Autorité de protection des données (APD)
Italy
Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)
Sweden
Supervisory Authority: Integritetsskyddsmyndigheten (IMY)
Denmark
Supervisory Authority: Datatilsynet
Finland
Supervisory Authority: Office of the Data Protection Ombudsman
Austria
Supervisory Authority: Datenschutzbehörde (DSB)
Czech Republic
Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)
Poland
Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)
Portugal
Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)
🇭🇷 Croatia
Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)
DPIA Guidance – AZOP (in Croatian)
Support material for conducting a DPIA – AZOP
🇸🇰 Slovakia
Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)
DPIA Guidance – UOOU SR (in Slovak)
Examples of high-risk processing activities
🇭🇺 Hungary
Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
DPIA Guidance – NAIH (in Hungarian)
DPIA-related chapter: pages 89 to 97
🇷🇴 Romania
Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
DPIA Guidance – ANSPDCP (in Romanian)
DPIA Q&A – ANSPDCP
🇧🇬 Bulgaria
Supervisory Authority: Commission for Personal Data Protection (CPDP)
DPIA Guidelines – CPDP (in Bulgarian)
DPIA Template Form – CPDP
🇱🇹 Lithuania
Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)
DPIA Guidance – VDAI (in Lithuanian)
🇱🇻 Latvia
Supervisory Authority: Datu valsts inspekcija (DVI)
DPIA Guidance – DVI (in Latvian)
🇱🇺 Luxembourg
Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)
DPIA Guidance – CNPD
List of processing operations requiring a DPIA – CNPD (PDF)
FAQ DPIA – CNPD
🇬🇷 Greece
Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
DPIA Guidance (in Greek): DPIA Guidelines – HDPA Published under Decision No. 65/2018, includes interpretation of GDPR Article 35 in the Greek legal context.
List of processing operations requiring a DPIA (Blacklist): DPIA Blacklist – HDPA (PDF, Greek) Covers high-risk scenarios including biometric processing, large-scale surveillance, and automated decision-making.
DPIA Template (in Greek): DPIA Report Template – HDPA (DOCX) Offers a structured document to support compliance and impact analysis under Greek law.
🇨🇭 Switzerland
Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)
Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):
Data Protection Impact Assessment – FDPIC
Guide on DPIA under revised Swiss FADP
✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.
Last updated
Was this helpful?