GDPR requires supervisory authories to establish and make public their lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment (DPIA).

22 supervisory authorities submitted their draft lists to the European Data Protection Board (EDPB) for its opinion earlier this year. EDPB issued its opinions on the draft lists at the end of September. (The following countries are concerned: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germay, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, the Netherlands, Poland, Portugal, Romania, Sweden, Slovakia, UK. A good comprehensive analysis of the DPIA lists is available here in English.)

Based on the opinion of the EDPB, some of the supervisory authorities published the final list. You can find some of such final lists at the below links: 

France:

• CNIL's mandatory DPIA list in French

Germany:

• Datenschutzkonferenz's (DSK) mandatory DPIA list in German
• DSK's mandatory DPIA list in English

Hungary:

• Hungarian SA's mandatory DPIA list in Hungarian
• Hungarian SA's mandatory DPIA list in English

Portugal:

• Portugese SA's mandatory DPIA list in Portugese

UK:

• ICO's mandatory DPIA list in English

Regarding Austria, no "black list" is available but a "white list" (i.e. a list of processing activities that are not subject to the obligation of preparing a DPIA) was published (in German).