Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a list of the types of processing operations which are likely to result in a high risk for the rights and freedoms of data subjects and, hence, require a data protection impact assessment. This list is in addition to the "high risk" situations foreseen by Article 35(3) GDPR.