DPIA Guidance - country by country
Guidance on data processing activities requiring a DPIA.
This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.
Europe
United Kingdom (UK)
Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:
When is a DPIA required? DPIA Guidance – ICO Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data).
Examples of likely high-risk processing: High Risk Processing Examples – ICO
Ireland
Supervisory Authority: Data Protection Commission (DPC) Key Guidance:
List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.
General DPIA Guidance: DPIA Guidance – DPC
France
Supervisory Authority: CNIL
Germany
Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).
🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.
Spain
Supervisory Authority: Agencia Española de Protección de Datos (AEPD)
Netherlands
Supervisory Authority: Autoriteit Persoonsgegevens (AP)
Belgium
Supervisory Authority: Autorité de protection des données (APD)
Italy
Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)
Sweden
Supervisory Authority: Integritetsskyddsmyndigheten (IMY)
Denmark
Supervisory Authority: Datatilsynet
Finland
Supervisory Authority: Office of the Data Protection Ombudsman
Austria
Supervisory Authority: Datenschutzbehörde (DSB)
Czech Republic
Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)
Poland
Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)
Portugal
Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)
Croatia
Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)
Slovakia
Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)
Hungary
Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Romania
Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Bulgaria
Supervisory Authority: Commission for Personal Data Protection (CPDP)
🇱🇹 Lithuania
Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)
🇱🇻 Latvia
Supervisory Authority: Datu valsts inspekcija (DVI)
Luxembourg
Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)
Grèce
Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
Switzerland
Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)
Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):
✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.
Last updated
Was this helpful?