Pursuant to article 35 of the General Data Protection Regulation (GDPR), a controller must carry out a data protection impact assessment (DPIA) prior to any processing that is likely to result in a high risk to the rights and freedoms of natural persons. Article 36 of the GDPR stipulates that if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.
Because in practice, it is not always clear for which processing activities a DPIA is required , the Dutch Data Protection Authority (Autoriteit Persoonsgegevens (DDPA)) has published a list in 2018 of processing activities to which this applies. According to its 2018 Annual Report, the DDPA also sought the advice of the European Data Protection Board (EDPB) in setting up the list. The DDPA recently adopted and published (in Dutch) a decision setting out the definitive list of processing activities for which a DPIA is in any case required.
Compared to the list published in 2018, one processing activity has been added, namely the large-scale processing and/or systematic monitoring of biometric data for the purpose of identifying a natural person (number 17 in the list).