List of processing operations where a DPIA is always required

The Norwegian Data Protection Authority has recently published a list of processing operations that shall always require a data protection impact assessment (DPIA) pursuant to article 35(4) of the General Data Protection Regulation (GDPR).

Where an organization decides to use an IT solution, such as a new technology, or otherwise carries out processing operations that are likely to result in a high risk to the rights and freedoms of individuals, a DPIA is mandatory prior to any such processing. The DPIA should “describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.” (Guidelines on DPIA – WP 248 rev.01)

According to the GDPR, supervisory authorities in the EU/EEA shall establish and publish a list of processing operations that shall always require a DPIA (article 35(4)).

The list was approved by the EDPB. It is available in both Norwegian and English.