DPIA Guidance - country by country

This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.

Europe

United Kingdom (UK)

Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:

• When is a DPIA required? DPIA Guidance – ICO Describes criteria for high-risk processing, including examples (e.g. profiling, tracking, large-scale special category data).

• Examples of likely high-risk processing: High Risk Processing Examples – ICO

Ireland

Supervisory Authority: Data Protection Commission (DPC) Key Guidance:

• List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.

• General DPIA Guidance: DPIA Guidance – DPC

France

Supervisory Authority: CNIL

• Liste des traitements nécessitant une AIPD (DPIA)

• Liste des traitements exemptés (PDF)

• DPIA Framework & Guide – CNIL

Germany

Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).

• Federal DPIA Criteria (BfDI)

  • List of processing operations pursuant to Article 35(4) GDPR for processing activities carried out by federal public bodies

  • List of processing activities for which a DSFA must be carried out (DSK)

• By Land

  • List of processing activities requiring DPIA (Baden-Württemberg DPA) (in German)

  • Data protection impact assessment – Bavarian blacklist (in German)

🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.

Spain

Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

• AEPD – Guide for DPIAs (in Spanish)

• AEPD – List of types of data processing operations requiring an data protection impact assessment (article 35(4)) (PDF)

• AEPD - list of processing operations that do not require an impact assessment

• AEPD - report template to help companies conduct data protection impact assessments

Netherlands

Supervisory Authority: Autoriteit Persoonsgegevens (AP)

• DPIA Guidance - AP

• list of types of processing operations for which carrying out a DPIA is mandatory before you start processing - AP (in Dutch)

Belgium

Supervisory Authority: Autorité de protection des données (APD)

• APD – DPIA Guidance (in French)

• List of categories of processing subject to a data protection impact assessment (PDF) (in French)

• APD - DPIA Guidance (in Dutch)

• List of categories of processing subject to a data protection impact assessment (PDF) (in Dutch)

• GEB/DPIA VTC criteria list (in Dutch)

Italy

Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)

• GPDP – DPIA Guidance Page

• List of types of processing subject to the requirement of a data protection impact assessment

Sweden

Supervisory Authority: Integritetsskyddsmyndigheten (IMY)

• When should an impact assessment be carried out? - IMY

• Guidance on impact assessment - A practical guide (PDF) (In Swedish)

• IMY's list of processing operations types that are covered by the requirement for an impact assessment (PDF) (in Swedish)

Denmark

Supervisory Authority: Datatilsynet

• DPIA Guidance – Datatilsynet

• Guidance on impact assessments (PDF) (in Danish)

• Datatilsynet's list of processing operations that are always subject to the requirement for an impact assessment (PDF) (in Danish)

• Datatilsynet's list of processing activities subject to the requirement for prior consultation with the supervisory authority pursuant to section 26 of the Law Enforcement Act

Finland

Supervisory Authority: Office of the Data Protection Ombudsman

• DPIA Guidance (in Finnish)

• List of DPIA-requiring processing (in Finnish)

Austria

Supervisory Authority: Datenschutzbehörde (DSB)

• DPIA Guidance – WKO (in German)

• List of processing operations requiring a DPIA – DSB (PDF)

• Exceptions to the data protection impact assessment (DPIA) - DSB (PDF)

Czech Republic

Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)

• DPIA Guidance - UOOU (in Czech)

• General Data Protection Impact Assessment Methodology (PDF document) – UOOU (in Czech)

• List of types of processing operations (not) subject to the requirement for a Data Protection Impact Assessment (DPIA) (PDF document) - UOOU (in Czech)

Poland

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)

• DPIA Guidance – UODO (in Polish)

• List of types of personal data processing operations requiring an assessment of the impact of processing on the protection of personal data – UODO (in Polish)

• Conference video "Risk assessment and personal data protection" - UODO (in Polish)

Portugal

Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)

• DPIA Guidance – CNPD (in Portuguese)

• List of processing operations types requiring a DPIA (PDF) - CNPD

Croatia

Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)

• DPIA Guidance – AZOP (in Croatian)

• List of types of processing operations subject to the requirement for a data protection impact assessment - AZOP (in Croatian)

Slovakia

Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)

• List of processing operations subject to impact assessment on the protection of personal data of the Slovak Republic - UOOU SR (PDF) (in Slovakian)

• DPIA Guidelines - UOOU SR (in Slovakian)

Hungary

Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

• DPIA Guidance – NAIH (in Hungarian)

• List of processing operations subject to impact assessment - NAIH (in Hungarian)

Romania

Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

• List of processing operations subject to impact assessment - ANSPDCP (PDF) (in Romanian)

• Decision no. 174 of the 18th of October 2018 on the list of kind of processing operations which are subject to the requirement for a data protection impact assessment (PDF) (in English)

Bulgaria

Supervisory Authority: Commission for Personal Data Protection (CPDP)

• List of types of personal data processing operations for which an assessment of the impact on data protection is required (in Bulgarian)

🇱🇹 Lithuania

Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)

• List of data processing operations subject to data protection impact assessment - VDAI (PDF) (in Luthuanian)

🇱🇻 Latvia

Supervisory Authority: Datu valsts inspekcija (DVI)

• Types of processing activities for which a data protection impact assessment must be carried out – DVI (in Latvian)

Luxembourg

Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)

• DPIA Guidance – CNPD

• List of processing operations requiring a DPIA – CNPD (in French)

• DPIA infography - CNPD

Grèce

Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

• DPIA Guidelines – HDPA

• List of processing operations requiring a DPIA (Blacklist) – HDPA (PDF, English)

Switzerland

Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)

Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):

• Checklist for data protection impact assessments (DPIA) pursuant to Articles 22 and 23 of the Data Protection Act (DPA)

• Guide to implementing DPIA

✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.