Transparency Seu electrònica

Preparing an impact assessment related to data protection

When is it necessary to conduct a PIA and how should it be approached?

AIPD

When the processing, due to its nature, scope, context or purposes, poses a high risk to the rights and freedoms of natural persons, especially when new technologies are used, the data controller must first carry out a data protection impact assessment (DPIA).

The GDPR establishes that, among other cases, a data protection impact assessment must be carried out in the following cases:

  • Systematic and comprehensive assessment of personal aspects of natural persons based on automated processing, such as profiling, on the basis of which decisions are taken that produce legal effects for natural persons or that significantly affect them in a similar way.
  • Large-scale processing of special data categories or personal data relating to criminal convictions and offences.
  • Large-scale systematic observation of a public access area.

To determine what is to be understood by "large scale", you can take into account what is determined by the Article 29 Group, in the Guidelines on the appointment of data protection officers. Thus, it is considered that to assess whether the processing is conducted on a large scale, the following must be taken into account:

  • The number of people affected, either in absolute terms or as a proportion of a certain population.
  • The volume and variety of data processed.
  • The duration or permanence of the processing.
  • The geographical extent of the processing.

The GDPR provides that the control authorities must publish a list of the types of processing operations that require a data protection impact assessment. The APDCAT considers that it is necessary to carry out a data protection impact assessment in the processing included in the following list. This list is not exhaustive and will be updated. If a processing operation is not included, it does not mean that a DPIA is unnecessary. It is always necessary to verify that the processing does not pose a high risk to people's rights and freedoms, especially if new technologies are used.

These criteria apply not only to data controllers that wish to carry out any of the processing types included, but also to the bodies and institutions that draw up a project of regulatory provision that involves any of these processing types. In this case, if the regulatory project has undergone a data protection impact assessment, it will not be necessary for data controllers to prepare one afterwards.
Prior consultation

If the data protection impact assessment shows that the planned processing may infringe the GDPR, in particular when the data controller has not identified or sufficiently mitigated the risk, it must make a query to the competent data protection control authority, such as the APDCAT. The query must be accompanied by the documentation provided for by the GDPR, including the impact assessment itself.

The control authority must advise in writing the data controller and, where applicable, the data processor, and can make use of all the powers conferred on it by the Regulation, among which is that of prohibiting the processing operation.

Access the procedure

Highlights

Last update: 21.01.2026