A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
- a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
- processing of sensitive data on a large scale;
- systematic monitoring of public areas on a large scale.
National Data Protection Authorities, in concertation with the European Data Protection Board, may provide lists of cases where a DPIA would be required. The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that can’t be mitigated by the measures put in place, the DPA must be consulted prior to the start of the processing.
A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour.
DPIA not required
A community doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the community doctors isn’t done on a large scale in cases where the number of patients is limited.