Data Protection Impact Assessment (DPIA)

Under the GDPR, there is a new general accountability obligation to show one complies with the Regulation by conducting a privacy impact assessment when ‘high risk’ processing is carried out. ‘High-risk’ processing includes:

  • systematic and extensive profiling that produces legal effects or significantly affects individuals;
  • processing sensitive personal data on a large scale; and
  • systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).

Please visit:


Article 29 Working Party has issued Guidelines on Data Protection Impact Assessments (WP 248). The European Data Protection Board (EDPB) endorsed the GDPR related WP29 Guidelines.

In Austria, there is a Privacy Impact Exception Regulation (DSFA-AV), which is a list of the types of processing operations for which no privacy impact assessment is required (Article 35 (5) GDPR).

Please visit:

Data Protection Impact Assessment Exception Regulation (DSFA-AV), Federal Law Gazette II No. 108/2018

Explanations on the draft DSFA-AV of 21 March 2018 (PDF, 255 KB)


The Austrian Data Protection Authority issued an regulation on processing operations for which a privacy impact assessment is to be carried out (DSFA-V) and explanations to it.

Please visit:

DPA Regulation on processing operations for which a DPI is to be carried out (DSFA-V) (PDF, 322 KB)

Explanations to the DSFA-V (PDF, 192 KB)