The Spanish Data Protection Agency (SDPA) has published the list of personal data processes in which it is mandatory to carry out a data protection impact assessment. Article 35.1 of the GDPR establishes that organizations processing personal data are obliged to carry out a data protection impact assessment (DPIA) prior to putting such processing into practice, when they are likely to entail a high risk to individual rights and freedoms.

The agency has defined that it will be necessary to carry out a DPIA in most of the cases in which the proposed processing meets two or more criteria on the list, among which are:

  • profiling; systematic and exhaustive observation, geolocation or control
  • the use of biometric data to unequivocally identify a person
  • data that makes it possible to determine financial solvency/creditworthiness
  • the processing of unique identifiers that make it possible to identify users of information society services, such as web services, interactive television or mobile applications.