GDPR

Adatvédelem mindenkinek / Data protection for everyone

Lists of mandatory DPIAs

2018. november 26. 08:00 - poklaszlo

GDPR requires supervisory authories to establish and make public their lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment (DPIA).

22 supervisory authorities submitted their draft lists to the European Data Protection Board (EDPB) for its opinion earlier this year. EDPB issued its opinions on the draft lists at the end of September. (The following countries are concerned: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germay, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, the Netherlands, Poland, Portugal, Romania, Sweden, Slovakia, UK. A good comprehensive analysis of the DPIA lists is available here in English.)

Based on the opinion of the EDPB, some of the supervisory authorities published the final list. You can find some of such final lists at the below links: 

France:

Germany:

Hungary:

UK:

Regarding Austria, no "black list" is available but a "white list" (i.e. a list of processing activities that are not subject to the obligation of preparing a DPIA) was published (in German).