Data protection impact assessment (DPIA) under Polish law

DPIA list of the Polish supervisory authority

The Polish supervisory authority has published a proposal for the list of processing activities, for which a DPIA will be required. The detailed list includes, for example:

  • Evaluation or assessment, including profiling and prediction (behavioral analysis) for purposes that may have negative legal, physical, financial or other effects on a person
  • Automated decision-making that produces legal, financial or similar material results
  • Processing of special categories of personal data, concerning convictions and legal violations

The proposed list includes many activities in the employment context, for example:

  • Monitoring of working time and IT systems
  • Processing of employee biometric data
  • Employee productivity-assessment systems

The full list (in Polish) is available at:

Unofficial translation in English:

Guidelines of the supervisory authorities

Guidelines on the DPIA (in Polish) are available at: and

Prior consultation

The request form (in Polish) for prior consultation (Art. 36 GDPR) may be found at:

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: