The final list of processing operations subject to the requirement of a DPIA has been published.

​As highlighted in the past March release of the Data Protection Bites, on 12^th of March the EDPB (European Data Protection Board) published its Opinion 3/2019 to the draft list submitted by the Spanish Supervisory Authority (Agencia Española de Protección de Datos, hereinafter, AEPD) regarding the processing operations subject to the requirement of a DPIA in accordance with paragraph 4 of article 35 of the GDPR.

Almost two months later, on 6^th of May, the AEPD has published the final list which now includes the amendments that, in light of the EPDB’s Opinion, the AEPD had to carry out in order to preserve the consistence application of the requirements to undertake a DPIA set down by the GDPR.

The final list includes eleven (11) different processing operations and follows the criteria already outlined by the former Working Party of Article 29 (now, the EDPB) in the “Guidelines WP 248 on Data Protection Impact Assessment (DPIA) and determining whether processing is «likely to result in a high risk» for the purposes of Regulation 2016/679”.

The AEPD makes clear that it constitutes a non-exhaustive list and that when a processing operation fulfils two or more criteria set out on the list, it will most likely need to be subject to a DPIA, “unless such processing operation is included in the list referred to in Article 35.5 of the GDPR of processing operations for which no DPIA is required”. 

From such a statement we can already draw the conclusion that the AEPD is planning to work on such a list, although it was set as facultative by the GDPR and not as an obligation of the supervisory authorities such as the list referred to in Article 35.4.

The list can be consulted in the following link (only Spanish version): https://www.aepd.es/media/criterios/listas-dpia-es-35-4.pdf