The most important facts at a glance
- Mandatory for High Risk: A Data Protection Impact Assessment (DPIA) is always mandatory under Art. 35 GDPR when a data processing operation is likely to result in a high risk to the rights and freedoms of natural persons.
- Three core use cases: The DPIA is particularly relevant for systematic profiling, large-scale processing of special categories of personal data, and systematic monitoring of publicly accessible areas.
- Acting early pays off: The DPIA must be conducted before data processing begins. Those who create it retrospectively or omit it entirely risk fines and, in the worst case, criminal consequences.
Why the DSFA is More Than a Formality
Data protection is no longer an abstract topic that only concerns large corporations. Small and medium-sized enterprises, medical practices, HR departments, security service providers, and municipalities are all equally faced with the question: When is a data protection impact assessment necessary - and what happens if we omit it?
The Data Protection Impact Assessment (DPIA) is a central instrument of data protection risk management. It is not a bureaucratic end in itself, but a preventive tool: before potentially risky data processing begins, the company should systematically analyze the risks that arise – and how they can be minimized.
The consequences of ignoring this obligation are significant. Supervisory authorities can impose hefty fines. Furthermore, in certain situations, data protection violations can also have criminal relevance – for example, if the data protection violation overlaps with other criminal offenses.
Legal Basis: Article 35 GDPR at a Glance
The central standard for the data protection impact assessment is Article 35 GDPR.
Art. 35(1) GDPR If a type of processing, in particular when using new technologies, and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the intended processing operations on the protection of personal data.
Article 35(3) GDPR 1. Bei der Verarbeitung von biometrischen Daten zum Zweck der eindeutigen Identifizierung einer Person. 2. Beim systematischen und umfassenden Überwachen eines öffentlich zugänglichen Bereichs (z.B. Videoüberwachung). 3. Bei der Verarbeitung besonderer Kategorien von personenbezogenen Daten (z.B. Gesundheitsdaten, ethnischer Herkunft, politische Meinungen) in großem Umfang.
- Systematic and comprehensive assessment of personal aspects natural persons—in particular through profiling—on the basis of which decisions with significant legal or similarly significant consequences are made.
- Extensive processing of special categories of personal data according to Art. 9 GDPR (e.g., health data, biometric data, data concerning political opinion).
- Systematic extensive surveillance of publicly accessible areas, for example through video surveillance.
When exactly is a Data Protection Impact Assessment (DPIA) necessary? The crucial criteria
The question of whether a DPIA is required cannot always be answered with a simple yes or no. The European Data Protection Board has developed criteria in its guidelines on Article 35 GDPR that can be used to assess the risk of a processing operation. The more of these criteria that apply, the more likely a DPIA obligation is.
The criteria at a glance:
1. Rating or Scoring – Are individuals being evaluated or are predictions being made about their behavior, creditworthiness, or health? Credit scoring systems, credit checks, or behavioral profiles are classic examples here.
2. Automated decision-making with significant impact – Are decisions made without human intervention that have legal or similarly significant effects? This particularly concerns automated rejections of credit applications or job applications.
3. Systematic Monitoring – Are individuals systematically monitored, tracked, or controlled? This includes not only video surveillance but also tracking employees via software tools or monitoring network activities.
4. Processing of Sensitive Data – Does this concern the processing of special categories of personal data according to Art. 9 GDPR or data relating to criminal convictions? Here the threshold is naturally low.
5. Large-scale processing – How many people are affected? What data volume is being processed? How long does the processing take? There is no fixed limit for „large scale“ – the overall picture is decisive.
6. Record Matching or Merging – Are data from different sources merged or linked, for example through cross-device tracking or the combination of CRM data with social media profiles?
7. Data concerning protected persons – Does the processing concern children, the elderly, mentally ill individuals, or other particularly vulnerable groups? These groups may have more difficulty exercising their rights and are therefore particularly worthy of protection.
8. Innovative use or application of technological or organizational solutions – Are new technologies being used whose consequences are not yet fully foreseeable? Examples include AI-powered analysis systems and facial recognition.
9. Processing that prevents the exercise of rights or the use of services or contracts – Does the processing result in individuals being excluded from certain services? This is particularly relevant in the financial and insurance sectors.
Practical tips for companies
Those who are wondering if a DPIA is required for their own data processing should follow these steps:
Step 1: Describe the processing activity in detail. What data is processed, for what purpose, by whom, for how long, and with whom is it shared? A precise description is the foundation of any risk assessment.
Step 2: Check regulatory blacklists. The German data protection authorities have identified specific processing activities for which a DPIA is mandatory. This list should serve as the first filter.
Step 3: Review the European Data Protection Board (EDPB) criteria. How many of the above criteria of the European Data Protection Board apply? Two or more criteria indicate a DPIA obligation. The review should be documented – even if the result is that no DPIA is required.
Step 4: Involve the Data Protection Officer. Companies that have appointed a Data Protection Officer – whether internal or external – are obliged to involve them in the DPIA according to Art. 35(2) GDPR. Their opinion must be documented.
Step 5: Complete DSFA before starting processing. The assessment must be completed before processing begins. A retroactive DPIA cannot avert fines.
Checklist: DSFA – Am I Affected?
- Mandatory pre-examinationProcessing activity fully described?
- Blacklist checkedIs the processing on the list of supervisory authorities?
- EDSA criteria appliedDo two or more apply?
- Data protection officer involvedStatement documented?
- DSFA fully documentedIncludes description, necessity, proportionality, risks, and mitigation measures?
- Regulatory authority consults (if necessary): Prior consultation initiated for remaining high risks according to Art. 36 GDPR?
- DSFA regularly reviewedWill the estimate be updated upon changes to the processing?
- Timepoint metDSFA completed before processing begins?
Data Protection Impact Assessment as a Strategic Tool
The question of when a data protection impact assessment (DPIA) is necessary cannot be answered with a single response. It requires careful, case-by-case analysis – and therein lies its value. Those who see the DPIA not as an annoying obligation, but as an opportunity to systematically question and secure data processing operations, not only create legal certainty but also build trust with customers, employees, and business partners.
The interface between data protection law, IT law, and – in certain constellations – criminal law is complex. Errors can have serious consequences. If you are unsure whether a DPIA is required for your processing activities, or if you need assistance in creating one, please contact us. SITTIG LAW will advise you with combined expertise in data protection and IT law.
Frequently asked questions
Not necessarily. A DPIA is only required if processing is likely to result in a high risk to the rights and freedoms of natural persons. Many everyday processing activities – such as classic customer data management without profiling – do not trigger a DPIA requirement. However, a systematic preliminary check is always recommended.
The failure to conduct a required DPIA constitutes a data protection infringement that can be penalized with fines under Art. 83 GDPR. Furthermore, supervisory authorities can prohibit the processing in question.
Responsible for conducting the DPIA is the data controller – usually the company or organization that decides on the purpose and means of data processing. The Data Protection Officer is to be involved in an advisory capacity but bears no independent responsibility for the DPIA.
This depends on the complexity of the processing. A simple DPIA for a clearly defined processing operation can be completed in a few days. Complex systems – such as company-wide AI applications – can take several weeks. The crucial point is that the DPIA must be completed before processing begins.
The DSFA should be reviewed when the risk associated with processing changes. Updates are also required for significant changes to the processing—new data sources, recipients, or purposes. As a rule of thumb, a review every two to three years is recommended.
Art. 35(7) GDPR specifies the minimum content: a systematic description of the processing operations, an assessment of the necessity and proportionality of the processing, an assessment of the risks, and a description of the measures planned to address these risks.
Yes, it is permissible to conduct a single risk assessment for multiple similar processing operations that exhibit comparable high risks. This is useful for example in corporate groups or for standardized processes.
In principle, the DPIA must also be carried out for existing processing activities if they present a high risk. For new processing activities, the obligation naturally applies from the outset. Companies that have not yet reviewed existing processing activities should do so – also in order to be able to provide appropriate documentation in the event of an audit by the supervisory authority.
German 
English