Article 35 of GDPR
Prior Data protection impact assessment


Data controllers with critical areas of personal data processing


Prior Data protection impact assessment is required under Article 35 for the critical areas of personal data processing, especially when it comes to:

  • evaluation or scoring, including profiling and predicting, especially from ‘aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements’,
  • automated-decision making with legal or similar significant effect,
  • systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area,
  • sensitive data or data of a highly personal nature: this includes special categories of personal data as defined in Article 9 (for example information about individuals’ political opinions), as well as personal data relating to criminal convictions or offences,
  • data processed on a large scale,
  • matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers,
  • data concerning vulnerable data subjects,
  • innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control, etc.,
  • when the processing in itself “prevents data subjects from exercising a right or using a service or a contract”

Prior consultation with supervisory authority (Article 36 of GDPR)

Where it is apparent from the data protection impact assessment referred to in Article 35 that the treatment would entail a high risk if the operator did not take measures to eliminate or mitigate the risks to an acceptable level, the data controller should consult under Article 36 with the supervisory authorities and provide it with an impact assessment carried out.

The supervisor must then, within eight weeks of receipt of the request for consultation, advise the controller (where applicable, as well as the processor) on how to mitigate the risks if he considers that the treatment envisaged would violate the regulation. Given the complexity of the envisaged treatment, this period may be extended for a further period of six weeks.


The Data protection impact assessment consisting of at least the following:

  1.  systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. can assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned