Skip to main content
European Citizens' Initiative

Data Protection Guidance - Question 6

Go back to the main page of the Data Protection Guidance for the organisers


Data Protection Guidance - Question 6

When and how should you carry out a data protection impact assessment?

Applies to Case Scenario 2, except as regards the use of the Commission’s file exchange service

As representative, you need to carry out a Data Protection Impact Assessment (DPIA) whenever processing is likely to result in a high risk to the rights and freedoms of individuals. Among others, it is notably required in case of processing of sensitive data on a large scale.

The European Data Protection Board (EDPB) has established Guidelines on Data Protection Impact Assessment (DPIA). You also should check whether your competent national Data Protection Authority has issued further guidance on when and how to conduct DPIAs.

The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that cannot be mitigated by the measures put in place, the competent national Data Protection Authority must be consulted prior to the start of the processing.


You do not need to carry out a DPIA with regard to the processing under joint controllership with the Commission, as such processing is already covered by the DPIA carried out by the Commission (see Case Scenario 1).


Want to learn and collaborate?