The data protection impact assessment makes it possible to identify and mitigate data protection risks that could impair the rights and freedoms of individuals. In order to clarify which areas may require data protection impact assessments, the EU’s Data Protection Regulation (GDPR) allows national supervisory authorities to draw up and publish lists of areas that pose a high data protection risk. The EU Supervisory Authority received 22 lists from different countries with over 260 different areas. The opinions of the member states are based on Art. 35 para. 4 and 35 para. 6 of the EU-DSGVO and correspond to earlier recommendations of Working Party 29 as well as those of individual countries. (See German Data Protection Conference for a consolidated list of use cases of data protection impact assessment.)
The President of the European Data Protection Authority, Andrea Jelinek, commented: “It has been an enormous challenge for all the authorities involved to review the lists and filter out those areas that require privacy and data protection impact assessments. But it was also an excellent opportunity for the Committee to identify the possibilities and limitations of a consistent implementation in practice. The EU DSG Regulation does not call for full harmonisation or an “EU list”, but it does call for harmonisation of what we have achieved by transferring the 22 different lists into one common list”.
European Data Protection Board, Press release: Third Plenary session: EU-Japan draft adequacy decision, DPIA lists, territorial scope and e-evidence: (last visited 27.09.2018 at 11:01)