AGIDAT – Datenschutz | Informationssicherheit

Data Protection Impact Assessment

DPIA per Art. 35 GDPR — when required, done right.

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a mandatory process under Art. 35 GDPR for processing operations that are "likely to result in a high risk" to the rights and freedoms of individuals. It must be carried out before the processing begins and must systematically assess the risks and the measures to address them.

When is a DPIA required?

A DPIA is typically required for:

  • Systematic and extensive evaluation of personal aspects, including profiling
  • Large-scale processing of special category data (health, biometric, etc.)
  • Systematic monitoring of publicly accessible areas (CCTV, etc.)
  • Use of new technologies with high privacy risk
  • Processing on the supervisory authority's "blacklist" of high-risk operations

Our DPIA process

  1. Screening — is a DPIA actually required?
  2. Processing description — documenting the nature, scope, context and purpose
  3. Necessity and proportionality — legal basis, data minimization, retention
  4. Risk assessment — likelihood and severity of risks to data subjects
  5. Risk mitigation — measures to address identified risks
  6. Prior consultation — supervisory authority consultation where required (Art. 36)