Data Protection Impact Assessment (DPIA)

The Article 29 Working Party has subsequently issued Guidelines on Data Protection Impact Assessments. There are nine criteria to consider to determine whether to conduct a privacy impact assessment, and that an assessment should be made if two or more of those criteria are met.

The European Data Protection Board endorsed the GDPR related WP29 Guidelines.

In Finland, the Ombudsman has drawn up a list of “high risk” processing where an assessment must be carried out. The list requires a data protection impact assessment to be done in case of:

  • processing of genetic information;
  • processing of biometric data;
  • processing of genetic data; or
  • processing of personal data in whistleblowing systems.


Furthermore, the Ombudsman requires that DPIA must be done when personal data is collected from a source other than the individual without providing them with a privacy notice according to GDPR Article 14.5 b in conjunction with at least one other criteria listed by the Ombudsman (

However, the Finnish Data Protection Act provides several derogations with respect to the processing of personal data solely for academic, artistic and literary expression purposes. In these cases, a data protection impact assessment is not required.