Data protection impact assessment (DPIA) under Italian law

DPIA list of the Italian supervisory authority

The Blacklist of activities that trigger the need for a data protection impact assessment (DPIA) is available at https://www.garanteprivacy.it/documents/10160/0/ALLEGATO+1+Elenco+delle+tipologie+di+trattamenti+soggetti+al+meccanismo+di+coerenza+da+sottoporre+a+valutazione+di+impatto  (in Italian).  It mentions, for example, non-occasional processing of data of vulnerable individuals (minors, elderly, disabled, mentally ill, patients, asylum seekers) and processing carried out in the context of employment relationship through technological systems (including video surveillance and geolocation) that results in the possibility of an employee’s remote control.

Guidelines of the supervisory authority

There are no derogations from the GDPR. Garante has published an information sheet dedicated to the DPIA, as well as an overview of the main points of the WP29 guidelines: https://www.garanteprivacy.it/regolamentoue/DPIA (in Italian).