DPIA Triggers
When is a DPIA mandatory?
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A DPIA obligation arises where a processing is likely to result in a high risk to rights and freedoms. Specified in Article 35(3) plus supervisory authority black/white lists and EDPB guidelines under Article 29.
What are DPIA Triggers?
Mandatory triggers (Article 35(3)):
- Systematic evaluation with legal effect
- Special-category data on a large scale
- Systematic monitoring of public areas
BfDI black list 2024 (excerpt): employee tracking, AI recruiting, fitness trackers, smart cities.
Practical example
HR tool with AI-based evaluation: all 3 triggers met → DPIA mandatory. Effort 8-15 person-days, documented in accordance with Article 35(7).
Frequently asked questions
Who performs the DPIA?
The controller, with advice from the DPO. External consultancy is recommended for complex cases.
Who reviews it?
The controller itself. The supervisory authority reviews on request.