On 6 May 2019, the Spanish Data Protection Agency (AEPD) published a non-exhaustive list of data processing operations that are subject to the requirement of a data protection impact assessment in compliance with Article 35(4) of the General Data Protection Regulation (GDPR), which provides that competent supervisory authorities shall establish and make public such a list.

The document published by the AEPD aims to provide certainty to organisations by listing a series of data processing operations that will always be considered as likely to result in a risk to the rights and freedoms of natural persons.

What data processing operations require a data protection impact assessment?

The AEPD has established that a data protection impact assessment will be necessary in most cases where the data processing meets two or more of the criteria indicated in the list, unless the processing operation is amongst those identified as not requiring an impact assessment, in compliance with Article 35(5) GDPR.

The personal data processing operations included in this list are those involving: 

  •  The profiling of natural persons.
  •  Automated decision-making.
  •  The monitoring, geolocation or observation of data subjects.
  •  Special categories of personal data, data on criminal convictions and offences or data making it possible to determine the data subject’s economic situation.
  •  The use of biometric data for the purpose of identifying a natural person.
  •  The use of genetic data.
  •  The use of big data.
  •  The association or combination of database records, oftwo or more processing operations and with different processing purposes or different controllers.
  •  The personal data ofvulnerable natural persons(such asthe disabled,victims ofgender violence, etc.) or of minors under the age of 14 years.
  •  The use of new technologies.
  •  The prevention of data subjects from exercising a right or using a service or a contract

What similarities are there between Spain’s list and that of other European countries? 

The list of processing operations requiring an impact assessment published by the AEPD is very similar to the lists published by other supervisory authorities, such as the French, English, German or Italian. 

Processing operations involving biometric or genetic data, special categories of personal data and the use of new technologies or profiling are operations that most Member States have included in their respective lists as determining criteria for carrying out an impact assessment.

Some Member States of the European Union have included, however, some distinct features in their lists. Such is the case of Bulgaria (which requires an impact assessment when the processing involves the migration of data from one system to another) or Greece, the Netherlands and Portugal (which require it when data processing is carried out for the purposes of scientific and historical research); provided, nonetheless, that at least two other criteria from their lists apply.

Therefore, although there is some similarity between the Member State’s lists of processing operations that require an impact assessment, consideration should be given to the specific list of the country in which the processing operation is to be initiated.