The guidelines clarify the meaning of ‘is likely to involve a high risk for the rights and freedoms of the natural persons whose data is being processed’, and state that the list of examples given in Article 35(3) of the GDPR is a non-exhaustive list. In addition to this list, the WP29 has provided criteria that go beyond the three examples. These criteria include(but are not limited to) considering whether the processing concerns automated decision making, systematic monitoring, sensitive data, or data processed on a large scale. The WP29 considers that the more criteria that are met, the more likely it is to require a DPIA.

The guidelines also set out the basic requirements of an effective DPIA, and discus how a DPIA should be carried out (e.g. when, who is obliged to carry out the DPIA, what is the methodology, should it be published).