Tool · Design 2.4

Do I need a DPIA?

A Data Protection Impact Assessment is required before processing that is likely high-risk. Tick every criterion that applies to one processing activity. Two or more usually means run a DPIA.

EDPB nine criteria · Art. 35
Which of these does your processing involve?
Assess one activity at a time. The more boxes you tick, the higher the risk.

0 of 9 criteria selected

Assessment
Tick the criteria that apply to see whether a DPIA is needed.
Always required, whatever the count (Art. 35(3))
  • Systematic, extensive profiling that produces legal or similarly significant effects.
  • Large-scale processing of special-category (Art. 9) or criminal-conviction data.
  • Large-scale systematic monitoring of a publicly accessible area.
Not legal advice. A screening helper based on the EDPB criteria. Also check your lead authority's national "always" and "never" DPIA lists.