DPIA list of the German supervisory authority
The German Conference of Data Protection officers has published a blacklist of processing activities, for which a DPIA is mandatory. The detailed list includes; the following examples:
- Evaluation or assessment, including profiling and prediction (behavioural analysis) for purposes that may have negative legal, physical, financial or other effects on a natural person
- Collection of personal data via interfaces of personal electronic devices that are not protected against unauthorized access that the data subjects cannot recognize (NFC-Payment)
- Use of artificial intelligence to process personal data to control the interaction with the data subject or to evaluate personal aspects of the data subject
- Fraud prevention systems
The mandatory list also has activities in the employment context, such as the following:
- Monitoring of working activities, such as mail traffic and use of internet
- Geolocation of employees
The full list is available (in German): https://www.lda.bayern.de/media/dsfa_muss_liste_dsk_de.pdf
Guidelines of the supervisory authority
A short paper on the DPIA is available (in German) at: https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_5.pdf
An example of how to do a DPIA is published (in German): https://www.datenschutzzentrum.de/uploads/datenschutzfolgenabschaetzung/20171106-Planspiel-Datenschutz-Folgenabschaetzung.pdf