Further to Article 35(4) and (6) GDPR, the competent supervisory authorities, i.e., the CNPD in Luxembourg, must establish a list of the kind of processing operations which are likely to result in a high risk for the rights and freedoms of data subject and, hence, subject to the requirement for a data protection impact assessment (hereinafter "DPIA"). Such lists come in addition to the examples of "high risk" situations foreseen in Article 35(3) GDPR.