GDPR
Do I need a DPIA for this processing activity?
A Data Protection Impact Assessment (DPIA) is mandatory for high-risk processing. Answer 7 questions to find out if your activity requires one.
Last updated: 1 May 2025
Do DPIA requirement need to comply with GDPR?
A Data Protection Impact Assessment (DPIA) is mandatory for high-risk processing. Answer 7 questions to find out if your activity requires one. If yes: DPIA mandatory — automated significant decisions. If not: DPIA is not required for this processing activity. Use the interactive…
- Yes path: DPIA mandatory — automated significant decisions
- No path: DPIA is not required for this processing activity
- Use the step-by-step decision tree below for your exact situation
GDPR · Question 1
Does this processing activity involve automated decision-making that significantly affects individuals?
Examples: automated credit scoring, AI-based hiring screening, insurance pricing algorithms, content moderation that restricts access to services.
For informational purposes only. Consult qualified legal counsel before making compliance decisions.
Decision tree questions
Does this processing activity involve automated decision-making that significantly affects individuals?
Examples: automated credit scoring, AI-based hiring screening, insurance pricing algorithms, content moderation that restricts access to services.
- Yes: DPIA mandatory — automated significant decisions
- No: Continue to: Does it involve processing special category data (health, biometrics, political opinions, etc.) at large scale?
Does it involve processing special category data (health, biometrics, political opinions, etc.) at large scale?
Large scale: continuous or regular processing for thousands of data subjects. A hospital system or a health-monitoring app would typically qualify.
- Yes: DPIA mandatory — large-scale special category data
- No: Continue to: Does it involve systematic monitoring of a publicly accessible area at large scale?
Does it involve systematic monitoring of a publicly accessible area at large scale?
CCTV networks, public Wi-Fi tracking, pedestrian flow analytics, and similar mass surveillance in public spaces.
- Yes: DPIA mandatory — public area monitoring
- No: Continue to: Does the processing involve data of vulnerable individuals — children, patients, employees, or asylum seekers?
Does the processing involve data of vulnerable individuals — children, patients, employees, or asylum seekers?
These groups have reduced ability to object to processing. Processing their data is a DPIA risk factor.
- Yes: Continue to: Does this activity match or combine data from multiple sources that individuals wouldn't reasonably expect?
- No: Continue to: Does this activity use a new technology or apply technology in a novel way?
Does this activity match or combine data from multiple sources that individuals wouldn't reasonably expect?
For example: combining purchase history with location data, or enriching CRM records with social media profiles.
- Yes: DPIA mandatory — multiple risk factors present
- No: DPIA likely required — vulnerable data subjects
Does this activity use a new technology or apply technology in a novel way?
Examples: first deployment of facial recognition, a new ML model for personalisation, IoT sensors in a new context, federated learning.
- Yes: DPIA recommended — novel technology use
- No: DPIA is not required for this processing activity