List of data processing operations subject to the requirement to perform data protection impact assessment


2019 03 19



1. Personal data processing is conducted for scientific or historical research purposes in at least one of the following cases:

1.1. when special categories of personal data are being processed without the data subject`s consent or personal data processing is conducted matching or combining datasets;

1.2. when data of under-age persons are processed;

1.3. when the personal identification number is processed.

2. Large scale personal data processing, when personal data have been received not from the data subject, and the provision of information provided for in Article 14(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation 2016/679) proves impossible or would involve a disproportionate effort or such provision of information is likely to render impossible or seriously impair the achievement of the objectives of that processing.

3. Personal data processing when notification of data recipients, to whom personal data were disclosed, on personal data rectification, erasure or restriction of processing of personal data in accordance with Article 19 of the Regulation 2016/679 19 proves impossible or would involve a disproportionate effort.

4. Processing of biometric data for the purpose of uniquely identifying a natural person when processing is done for the monitoring or control purposes or processing of personal data of vulnerable data subjects.

5. Processing of genetic data while evaluating the data subject`s features or scoring, including profiling and forecasting.

6. Processing of personal video data when video surveillance is conducted in at least one of the following cases:

6.1. in premises and/or territories which are not owned by the controller or managed on other legal grounds, when video surveillance is conducted in accordance with principles relating to the processing of personal data provided for in Article 5 of the Regulation 2016/679; 

6.2. at healthcare, social care, detention establishments and other agencies where services are provided for vulnerable data subjects;

6.3. combined with sound recording.

7. Recording of telephone conversations.

8. Personal data processing using innovative technologies or using existing technologies in a new way when personal data of vulnerable data subjects are processed.

9. Processing of personal data of children for direct marketing purposes, assessment of personal aspects of children which is based on automated processing, including profiling, or when information society services are offered to children directly.

10. Processing of personal data of employees for monitoring or control purposes: processing of personal video and/or sound data in a workplace and/or data controller`s premises or territories where its employees work; processing of personal data related to monitoring of employees, communication, behavior, place or movement.