This post is also available in: Español

El artículo 35 del Reglamento General de Protección de Datos (RGPD) introduce la figura de la evaluación de impacto en materia de protección de datos (EIPD), que deberá llevarse a cabo antes de iniciar un tratamiento de datos por el que exista un potencial riesgo alto de menoscabar los derechos y libertades de las personas físicas.

Article 35(2) establishes the criteria to determine whether that is the case. Specifically, the DPIA is required in the event of:

  • a systematic and extensive evaluation of personal aspects relating to natural persons (including profiling or decisions based on automated processing);
  • processing on a large scale of special categories of data; and
  • a systematic monitoring of a publicly accessible area.

According to article 35(4) GDPR, the supervisory authority must establish and make public a list of the type of processing operations subject to the requirement for a DPIA. In accordance with this provision, the Spanish Data Protection Agency (AEPD) has published a List of the types of data processing that require a data protection impact assessment.

This non-exhaustive list includes the following 11 scenarios. If two or more occur, the data controller is required to carry out a DPIA:

  • Processing that involves profiling.
  • Processing that involves automated decision-making.
  • Processing that involves the observation, monitoring, supervision, geo-location, or control of the interested party in a systematic and extensive manner.
  • Processing that involves the use of special categories of data or criminal convictions and offenses.
  • Processing that involves the use of biometric data for the purpose of uniquely identifying a natural person.
  • Processing that involves the use of genetic data.
  • Processing that involves the use of data on a large scale.
  • Processing that involves the association, combination, or linking of records in databases with different aims or by different controllers.
  • Data processing regarding vulnerable subjects or those who are at risk of social exclusion, including minors and people with disabilities.
  • Processing that involves the use of new technologies or an innovative use of consolidated technologies in a manner that entails new forms of data collection and usage.
  • Data processing that prevents interested parties from exercising their rights, using a service, or executing a contract.

Before carrying out the DPIA, data controllers must analyze the risks of the processing operations in their area of activity. To facilitate this task, the AEPD published a Risk assessment guide. Where the analysis determines that the risk to rights and freedoms is high, the controller must assess the origin, nature, particularity and seriousness of that risk, and it may rely on the AEPD’s Practical Guide for that purpose.

Autores: Esther Ballesteros y Sergi Galvez

This post is also available in: Español



62 artículos


42 artículos

Asociado del Área de Propiedad Intelectual y Protección de Datos. Especialista en protección de datos y tecnologías disruptivas. Participa en el asesoramiento recurrente en materia de protección de datos y contratación tecnológica de compañías nacionales e internacionales, especialmente en la configuración jurídica de evaluaciones de impacto, transferencias internacionales de datos personales, contratos de encargo de tratamiento y en el asesoramiento durante violaciones de seguridad. Además de prestar asesoramiento continuado a clientes en los ámbitos mencionados, tiene experiencia en asesorar a empresas de diferentes sectores en la configuración legal de proyectos que implementan tecnologías disruptivas, tales como el Big Data, Internet of Things, artificial intelligence y smart robots.