On 8 July 2019, the Communication of the President of the Personal Data Protection Office of 17 June 2019 concerning the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment (DPIA) was presented.
Any process meeting at least two of the relevant criteria will require a data protection impact assessment. In some cases, however, an inspector may consider that a process meeting only one of these criteria will require a data protection impact assessment. The more criteria the processing fulfils, the more likely it is that a high risk of breach of the rights or freedoms of data subjects is likely to arise and consequently, irrespective of the measures envisaged by the inspector to be applied, a data protection impact assessment will be required.
The list has been updated to take account of the opinion of the European Data Protection Board and also covers processing activities which involve offering goods or services to data subjects or monitoring their behaviour in several Member States or which may significantly affect the free movement of personal data in the European Union
