Data Protection Academy » Data Protection Wiki » Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) according to Article 35 DSGVO

Data Protection Impact Assessment (DPIA): Risk assessment according to Article 35 GDPR

The Data protection impact assessment (DSFA) is in Article 35 GDPR and is a risk analysis that applies to the description and assessment of risks prior to the processing of certain data. The data protection impact assessment is a complex process within data protectionwhich does not have to be carried out prior to every data processing activity, but in the case of particularly critical processing operations which either use a certain automated system, or individual-related data special categories (according to Article 9 and the Article 10 of the GDPR). By assessing the risk during processing, this should be reduced.

The risk analysis or impact assessment for data processing already existed in the BDSG (old). The corresponding procedure was regulated in Section 4d (5) and (6) and required prior checking as soon as automated processing processes entailed a particular risk for the rights and freedoms of the data subjects.

When is a data protection impact assessment necessary?

In the General Data Protection Regulation Article 35 provides a general description of the three cases that require a data protection impact assessment in each case:

  • systematic and comprehensive assessment personal aspects of natural persons which are related to automated processing including Profiling and which in turn serves as the basis for decisions which have legal effect vis-à-vis natural persons or affect them in a similarly significant way;
  • extensive processing of special categories personal data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 (e.g. health data), or
  • Systematic comprehensive monitoring publicly accessible areas (e.g. video surveillance);

In addition, the GDPR further provides that data protection supervisory authorities shall publish a list of processing activities that present a high risk to the rights and freedoms of individuals and for which a DPIA is therefore strictly necessary. Within Germany, the respective supervisory authorities of the federal states have both positive as well as negative lists published.

These positive and negative lists are not to be regarded as exhaustive and are continuously adapted by the German data protection supervisory authorities. For orientation, it is worthwhile to take a look at the website of the responsible data protection authorities. data protection supervisory authorities.


We continuously incorporate the current status of the positive and negative lists of the data protection supervisory authorities into our Robin Data software. So you have all the information in one place.

How should the data protection impact assessment be carried out?

At what point should the DPIA be carried out?

A data protection impact assessment is a complex process of before starting processing must be carried out. However, existing processing activities must also be reviewed to determine whether they also fall under the obligation of a DPIA. The Data Protection Conference (DSK) assesses the preparation of a DPIA as relatively time-consuming and recommends its implementation, supported by a data protection management system. Especially since the preparation of the data protection impact assessment is not a one-time process, but rather a continuous process of preparation, execution, implementation and review. The assessment of risks per processing activity is linked to the Robin Data Software possible.

How is the data protection impact assessment linked to the inventory of processing activities?

The directory of processing activities contains all data processing processes of your company. The better the documentation of the processing activities, the easier the subsequent data protection impact assessment. Accordingly, the directory is also the starting point for the DPIA and the risk assessment of the respective processing activity and the classification of whether the respective processing activity requires a data protection impact assessment is carried out directly in this directory.

Step 1

Creation of a register of processing activities for your company

Step 2

Assessment of the risks of the processing activities on the basis of a checklist

Step 3

Preparation of DIA for high risk processing activities

What are the contents of a data protection impact assessment?

The risk description

according to Article 35 of the GDPR a systematic description of the processing operations envisaged and the purposes of the processing, including, where relevant, the legitimate interests pursued by the controller, including an assessment of the necessity and proportionality of the processing operations in relation to the purpose.

The risk treatment

an assessment of the risk to the liberties of the persons concerned by classifying the probability of occurrence and the level of damage, and a final evaluation of the risk. In addition, measures to minimise or manage the risks.


The Robin Data software maps the documentation of the data protection impact assessment in a legally compliant and complete manner.

Who needs to carry out a data protection impact assessment?

According to Article 35(1) GDPR the controller must carry out the data protection impact assessment. Since the DPIA is a complex process, the data protection officer can assist in its implementation, as described in Article 35(2) of the GDPR. This only applies in the event that a data protection officer has been appointed. Read in our Article more on the appointment of a data protection officer.

What can happen if companies do not perform a DPIA?

Insofar as a company does not carry out a data protection impact assessment, although this would be necessary, in the mildest case there is the threat of warnings and in the worst case fines by the data protection supervisory authorities. Thus, according to Article 83(4) of the GDPR fines for breaches of provisions relating to data protection impact assessment of up to EUR 10 million or, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater.

Implementation of the data protection impact assessment with Robin Data software

If you are interested in implementing data protection impact assessment with Robin Data software, you can read the individual articles in our Help Center or read our daily Online demos visit.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Record of processing activities
List of processing activities according to Art. 30 DSGVO. Explained step by step with extensive information. Data protection made easy.
Data Protection Breaches
What is information security? Tasks of the information security officer and differentiation from data protection.
EU standard contractual clauses DSGVO international data transfer
On 07 June 2021, the European Commission published the new version of the EU Standard Contractual Clauses for the international transfer of personal data.