DPIA Guidance - country by country

Guidance on data processing activities requiring a DPIA.

This documentation page provides official resources and references from data protection authorities (DPAs) that help determine whether a Data Protection Impact Assessment (DPIA) is required. The list is organised by country.

Europe

United Kingdom (UK)

Supervisory Authority: Information Commissioner’s Office (ICO) Key Guidance:

Ireland

Supervisory Authority: Data Protection Commission (DPC) Key Guidance:

  • List of processing operations requiring a DPIA: DPC DPIA Blacklist (PDF) Includes processing activities involving systematic monitoring, special category data, or large-scale profiling.

  • General DPIA Guidance: DPIA Guidance – DPC

France

Supervisory Authority: CNIL

Germany

Supervisory Authority: Each German state has its own DPA (e.g. BfDI at federal level).

🛑 DPIA criteria vary slightly by Land (state) due to Germany’s federal structure.

Spain

Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

Netherlands

Supervisory Authority: Autoriteit Persoonsgegevens (AP)

Belgium

Supervisory Authority: Autorité de protection des données (APD)

Italy

Supervisory Authority: Garante per la Protezione dei Dati Personali (GPDP)

Sweden

Supervisory Authority: Integritetsskyddsmyndigheten (IMY)

Denmark

Supervisory Authority: Datatilsynet

Finland

Supervisory Authority: Office of the Data Protection Ombudsman

Austria

Supervisory Authority: Datenschutzbehörde (DSB)

Czech Republic

Supervisory Authority: Úřad pro ochranu osobních údajů (UOOU)

Poland

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO)

Portugal

Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD)

🇭🇷 Croatia

Supervisory Authority: Agencija za zaštitu osobnih podataka (AZOP)

  • DPIA Guidance – AZOP (in Croatian)

  • Support material for conducting a DPIA – AZOP

🇸🇰 Slovakia

Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky (UOOU SR)

  • DPIA Guidance – UOOU SR (in Slovak)

  • Examples of high-risk processing activities

🇭🇺 Hungary

Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

  • DPIA Guidance – NAIH (in Hungarian)

  • DPIA-related chapter: pages 89 to 97

🇷🇴 Romania

Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

  • DPIA Guidance – ANSPDCP (in Romanian)

  • DPIA Q&A – ANSPDCP

🇧🇬 Bulgaria

Supervisory Authority: Commission for Personal Data Protection (CPDP)

  • DPIA Guidelines – CPDP (in Bulgarian)

  • DPIA Template Form – CPDP

🇱🇹 Lithuania

Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI)

  • DPIA Guidance – VDAI (in Lithuanian)

🇱🇻 Latvia

Supervisory Authority: Datu valsts inspekcija (DVI)

  • DPIA Guidance – DVI (in Latvian)

🇱🇺 Luxembourg

Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)

  • DPIA Guidance – CNPD

  • List of processing operations requiring a DPIA – CNPD (PDF)

  • FAQ DPIA – CNPD

🇬🇷 Greece

Supervisory Authority: Hellenic Data Protection Authority (HDPA) – Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

  • DPIA Guidance (in Greek): DPIA Guidelines – HDPA Published under Decision No. 65/2018, includes interpretation of GDPR Article 35 in the Greek legal context.

  • List of processing operations requiring a DPIA (Blacklist): DPIA Blacklist – HDPA (PDF, Greek) Covers high-risk scenarios including biometric processing, large-scale surveillance, and automated decision-making.

  • DPIA Template (in Greek): DPIA Report Template – HDPA (DOCX) Offers a structured document to support compliance and impact analysis under Greek law.

🇨🇭 Switzerland

Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / PFPDT)

Although Switzerland is not part of the EU, it has DPIA-equivalent requirements under its revised Federal Act on Data Protection (FADP, 2023):

  • Data Protection Impact Assessment – FDPIC

  • Guide on DPIA under revised Swiss FADP

✅ Required if a processing operation is likely to result in a high risk to personality or fundamental rights. Similar structure to Article 35 GDPR.

Last updated

Was this helpful?