The following list provides some practical examples of the types of processing operations which would require a DPIA under the list we are required to develop under Article 35(4) of the GDPR.

This has been developed to help controllers better understand when a DPIA is automatically required, or when would be considered good practice.

It should be borne in mind that any list of this type cannot be definitive. For more information read the when do we need to do a DPIA? part of this guide.

Type of processing operation requiring a DPIA Non-exhaustive examples of existing areas of application
Systematic evaluation based on automated processing or profiling resulting in legal/other significant effects
  • Credit checks
  • Mortgage / loan applications
  • Fraud prevention
  • Insurance underwriting
  • Application of AI
Large scale processing of Article 9/10 data
  • Political parties membership data
  • Trade Union membership data
  • Health records processed by Hospitals/health clinics/gym chains
  • Social care records
  • Research (including medical research)
  • Fraud prevention
  • Application of AI
  • Dating websites/applications
Systematic monitoring of a publically available area on a large scale
  • Automatic number plate recognition.
  • Intelligent transport systems
  • Traffic management systems involving monitoring of vehicle/driver behaviour
  • Wi-Fi/Bluetooth/RFID tracking
  • Audio/video surveillance of public areas
  • Application of AI
New technologies
  • Artificial intelligence, machine learning and deep learning
  • Connected and autonomous vehicles
  • Intelligent transport systems
  • Smart technologies (including wearables)
  • Market research involving neuro-measurement (i.e. emotional response analysis and brain activity)
Denial of service
  • Credit checks
  • Mortgage or insurance applications
  • Other pre-check processes related to contracts (i.e. smartphones)
Large-scale profiling
  • Data processed by Smart meters or IoT applications
  • Hardware/software offering fitness/lifestyle monitoring
  • Social media networks
  • Application of AI to existing process
Biometric data
  • Facial recognition systems
  • Workplace access systems/identity verification
  • Access control/identity verification for hardware/applications (including voice recognition/fingerprint/facial recognition)
Genetic data
  • Medical diagnosis
  • DNA testing
  • Medical research
Data matching
  • Fraud prevention
  • Direct marketing
  • Monitoring personal use/uptake of statutory services or benefits
  • Federated identity assurance services
Invisible processing
  • List brokering
  • Direct marketing
  • Online tracking by third parties
  • Online advertising
  • Data aggregation / data aggregation platforms
  • Re-use of publically available data
Tracking
  • Social networks, software applications
  • Hardware/software offering fitness/lifestyle/health monitoring
  • IoT devices, applications and platforms
  • Online advertising
  • Web and cross-device tracking
  • Data aggregation / data aggregation platforms
  • Eye tracking
  • Data processing at the workplace
  • Data processing in the context of home and remote working
  • Processing location data of employees
  • Loyalty schemes
  • Tracing services (tele-matching, tele-appending)
  • Wealth profiling – identification of high net-worth individuals for the purposes of direct marketing

 

Targeting of children/other vulnerable individuals for marketing, profiling for auto decision making or the offer of online services
  • Connected toys
  • Social networks
Risk of physical harm
  • Whistleblowing/complaint procedures
  • Social care records