Data protection impact assessment (DPIA) under German law

DPIA list of the German supervisory authority

The German Conference of Data Protection officers has published a blacklist of processing activities, for which a DPIA is mandatory. The detailed list includes; the following examples:

  • Evaluation or assessment, including profiling and prediction (behavioural analysis) for purposes that may have negative legal, physical, financial or other effects on a natural person
  • Collection of personal data via interfaces of personal electronic devices that are not protected against unauthorized access that the data subjects cannot recognize (NFC-Payment)
  • Use of artificial intelligence to process personal data to control the interaction with the data subject or to evaluate personal aspects of the data subject
  • Fraud prevention systems

The mandatory list also has activities in the employment context, such as the following:

  • Monitoring of working activities, such as mail traffic and use of internet
  • Geolocation of employees

The full list is available (in German):

Guidelines of the supervisory authority

A short paper on the DPIA is available (in German) at:

An example of how to do a DPIA is published (in German):

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: