Data Protection Impact Assessments (Article 35)

Data Protection Impact Assessments (Article 35) – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Data Protection Impact Assessments (DPIAs) are one of the most critical accountability mechanisms under the General Data Protection Regulation (GDPR). Enshrined in Article 35 GDPR, DPIAs require controllers to systematically evaluate the impact of their data processing activities on the rights and freedoms of natural persons. For CIPP/E exam candidates, understanding DPIAs inside and out is essential — they appear frequently in exam questions and intersect with many other GDPR concepts including lawful bases, data protection by design, prior consultation, and the role of the Data Protection Officer (DPO).

Why Are DPIAs Important?

DPIAs are important for several interconnected reasons:

1. Proactive Risk Management: DPIAs shift the data protection paradigm from reactive (responding to breaches after they occur) to proactive (identifying and mitigating risks before processing begins). This is a cornerstone of the accountability principle under Article 5(2) GDPR.

2. Protecting Fundamental Rights: The primary purpose of a DPIA is to assess the impact of processing on the rights and freedoms of natural persons. This includes the right to privacy, the right to non-discrimination, freedom of expression, and other fundamental rights enshrined in the EU Charter of Fundamental Rights.

3. Demonstrating Compliance: Conducting a DPIA — and documenting it properly — is a key way for controllers to demonstrate compliance with the GDPR. Supervisory authorities may request evidence of DPIAs during audits or investigations.

4. Avoiding Regulatory Sanctions: Failure to carry out a required DPIA can result in administrative fines of up to €10 million or 2% of annual global turnover (whichever is higher) under Article 83(4)(a).

5. Building Trust: Organisations that routinely conduct DPIAs signal to data subjects, business partners, and regulators that they take data protection seriously. This builds public trust and strengthens reputation.

6. Embedding Data Protection by Design and by Default: DPIAs operationalise the principle of data protection by design and by default (Article 25) by requiring organisations to think about privacy from the earliest stages of project planning.

What Is a Data Protection Impact Assessment?

A DPIA is a structured process designed to:

- Describe the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller.
- Assess the necessity and proportionality of the processing in relation to the purposes.
- Assess the risks to the rights and freedoms of data subjects.
- Identify the measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

A DPIA is not a one-off checkbox exercise. It is a living process that should be revisited and updated when there is a change in the risk represented by the processing operations.

When Is a DPIA Required?

Under Article 35(1), a DPIA is required when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context, and purposes of the processing. This assessment should be carried out prior to the processing.

Article 35(3) provides three specific scenarios where a DPIA is always required:

(a) Systematic and extensive profiling with significant effects: A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

(b) Large-scale processing of special categories of data or criminal conviction data: Processing on a large scale of special categories of data referred to in Article 9(1) or of personal data relating to criminal convictions and offences referred to in Article 10.

(c) Systematic monitoring of a publicly accessible area on a large scale: For example, large-scale CCTV surveillance of public spaces.

Important note: These three scenarios are not exhaustive. A DPIA may be required in other situations where high risk is likely.

The Role of Supervisory Authorities — Blacklists and Whitelists

Under Article 35(4), each supervisory authority must establish and publish a list of processing operations that require a DPIA (commonly known as a blacklist). These lists must be communicated to the European Data Protection Board (EDPB).

Under Article 35(5), supervisory authorities may also establish a list of processing operations that do not require a DPIA (commonly known as a whitelist). These are optional.

For exam purposes, remember: Blacklists are mandatory; whitelists are optional.

The WP29/EDPB Criteria for Identifying High Risk

The Article 29 Working Party (now the EDPB) issued guidelines (WP 248 rev.01) identifying nine criteria for assessing whether processing is likely to result in high risk. As a general rule, if two or more of these criteria are met, a DPIA is likely required:

1. Evaluation or scoring (including profiling and predicting)
2. Automated decision-making with legal or similar significant effect
3. Systematic monitoring
4. Sensitive data or data of a highly personal nature (e.g., special categories, financial data, location data)
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects (e.g., children, employees, patients, elderly)
8. Innovative use or applying new technological or organisational solutions
9. Processing that in itself prevents data subjects from exercising a right or using a service or a contract

Exam tip: Be prepared to apply these criteria to scenario-based questions. You may be asked whether a DPIA is required in a given situation.

What Must a DPIA Contain?

Under Article 35(7), a DPIA must contain at least the following four elements:

1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller.
2. An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
3. An assessment of the risks to the rights and freedoms of data subjects.
4. The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

How Does the DPIA Process Work in Practice?

While the GDPR does not prescribe a specific methodology, the typical DPIA process follows these steps:

Step 1 — Identify the Need for a DPIA
Determine whether the proposed processing is likely to result in high risk. Use the EDPB nine criteria, the supervisory authority blacklist, and Article 35(3) as your guide.

Step 2 — Describe the Processing
Document the nature, scope, context, and purposes of the processing. Include details about the data flows, the types of personal data, the data subjects, the recipients, and the retention periods.

Step 3 — Consult Relevant Stakeholders
Under Article 35(2), the controller must seek the advice of the Data Protection Officer (DPO), where designated. Under Article 35(9), the controller must, where appropriate, seek the views of data subjects or their representatives (unless doing so would compromise commercial interests, the security of the processing, or other valid grounds).

Step 4 — Assess Necessity and Proportionality
Evaluate whether the processing is necessary to achieve the stated purposes and whether less intrusive alternatives exist. Consider the lawful basis, data minimisation, purpose limitation, storage limitation, and data subject rights.

Step 5 — Identify and Assess Risks
Analyse the risks to the rights and freedoms of data subjects. Consider the likelihood and severity of potential harm, including physical, material, or non-material damage (e.g., discrimination, identity theft, financial loss, reputational damage, loss of confidentiality).

Step 6 — Identify Measures to Mitigate Risks
Determine what technical and organisational measures can be implemented to reduce identified risks to an acceptable level. Examples include encryption, pseudonymisation, access controls, staff training, data minimisation, and contractual safeguards.

Step 7 — Sign Off and Record Outcomes
Document the DPIA findings, the decision to proceed (or not), and the rationale. Senior management should approve the DPIA.

Step 8 — Integrate Outcomes into Processing
Implement the identified measures. Ensure the processing aligns with the DPIA conclusions.

Step 9 — Keep Under Review
Under Article 35(11), the controller must carry out a review to assess whether processing is performed in accordance with the DPIA, at least when there is a change in the risk represented by the processing operations.

What Happens If Risks Cannot Be Mitigated?

If the DPIA reveals that the processing would result in a high risk and the controller cannot sufficiently mitigate that risk, the controller must engage in prior consultation with the supervisory authority under Article 36. The supervisory authority then has up to eight weeks (extendable by six weeks for complex cases) to provide written advice. The supervisory authority may exercise any of its powers under Article 58, including prohibiting the processing.

Key connection: Article 35 (DPIA) and Article 36 (prior consultation) work hand in hand. A DPIA may trigger prior consultation, but prior consultation is not needed for every DPIA — only where residual high risk remains.

Who Is Responsible for the DPIA?

The controller is responsible for carrying out the DPIA. This obligation cannot be delegated to the processor, although the processor must assist the controller under Article 28(3)(f).

The DPO plays an advisory role. Under Article 35(2), the controller must seek the DPO's advice. Under Article 39(1)(c), the DPO's tasks include providing advice on DPIAs and monitoring their performance.

Important distinction for the exam: The controller carries out the DPIA; the DPO advises on the DPIA. The DPO does not perform the DPIA — the controller does.

Exceptions — When Is a DPIA Not Required?

A DPIA is not required in the following situations:

1. When the processing is not likely to result in a high risk to the rights and freedoms of natural persons.
2. When the processing is on the supervisory authority's whitelist (Article 35(5)).
3. When the processing has a legal basis in EU or Member State law which regulates the specific processing operation, and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis — unless the Member State considers it necessary (Article 35(10)).
4. When very similar processing operations have already been assessed via a single DPIA covering them all (Article 35(1) allows a single DPIA for similar processing operations with similar high risks).

Relationship to Other GDPR Provisions

Understanding how Article 35 connects to other GDPR provisions is essential for exam success:

- Article 5(2) — Accountability: DPIAs are a key accountability tool.
- Article 24 — Responsibility of the controller: DPIAs help controllers demonstrate that processing complies with the GDPR.
- Article 25 — Data protection by design and by default: DPIAs help operationalise this principle.
- Article 28(3)(f) — Processor obligations: Processors must assist controllers with DPIAs.
- Article 36 — Prior consultation: Triggered when residual high risk remains after the DPIA.
- Article 39(1)(c) — DPO tasks: DPOs advise on and monitor DPIAs.
- Article 83(4)(a) — Fines: Failure to conduct a DPIA can result in fines up to €10 million or 2% of global turnover.

Common Misconceptions About DPIAs

- Misconception: A DPIA is always required. Reality: A DPIA is only required when processing is likely to result in a high risk.
- Misconception: The DPO carries out the DPIA. Reality: The controller carries out the DPIA; the DPO advises.
- Misconception: A DPIA guarantees that processing can proceed. Reality: A DPIA might conclude that risks cannot be mitigated, requiring prior consultation or even abandonment of the processing.
- Misconception: A DPIA is a one-time exercise. Reality: DPIAs must be reviewed and updated when risks change.
- Misconception: A DPIA must always involve consulting data subjects. Reality: Article 35(9) says the controller shall seek the views of data subjects where appropriate, not in every case.

Exam Tips: Answering Questions on Data Protection Impact Assessments (Article 35)

Tip 1 — Know the Trigger: The exam will frequently test whether you can identify when a DPIA is required. Remember the threshold: processing that is likely to result in a high risk to the rights and freedoms of natural persons. Memorise the three specific scenarios in Article 35(3) and the nine WP29/EDPB criteria. If a scenario question presents two or more of the nine criteria, a DPIA is very likely required.

Tip 2 — Memorise the Four Minimum Contents: Article 35(7) outlines the four mandatory elements of a DPIA: (1) systematic description of processing, (2) necessity and proportionality assessment, (3) risk assessment, and (4) mitigation measures. Exam questions may test these directly.

Tip 3 — Distinguish Between the Controller and the DPO: A common exam trap is to ask who is responsible for carrying out the DPIA. The answer is always the controller. The DPO advises and monitors. Do not confuse the two roles.

Tip 4 — Link DPIAs to Prior Consultation: Understand the relationship between Article 35 and Article 36. A DPIA comes first. If the controller cannot mitigate the identified high risk, then prior consultation with the supervisory authority is required under Article 36. Not all DPIAs lead to prior consultation — only those where residual risk remains high.

Tip 5 — Remember the Blacklist and Whitelist Distinction: Supervisory authorities must publish a blacklist (Article 35(4)) but may publish a whitelist (Article 35(5)). This is a frequently tested distinction.

Tip 6 — Watch for Scenario Questions Involving Special Categories of Data: Large-scale processing of Article 9 special category data always requires a DPIA under Article 35(3)(b). If the scenario involves health data, biometric data, political opinions, or any other special category on a large scale, select the answer that requires a DPIA.

Tip 7 — Consider Vulnerable Data Subjects: Questions involving children, employees, or patients should alert you to a higher likelihood that a DPIA is required. Vulnerability of data subjects is one of the nine EDPB criteria.

Tip 8 — Know the Fine Level: Failure to carry out a required DPIA falls under Article 83(4)(a), attracting fines of up to €10 million or 2% of global turnover. This is the lower tier of GDPR fines. Do not confuse it with the higher tier (€20 million or 4%) which applies to breaches of data processing principles, lawful bases, and data subject rights.

Tip 9 — Understand the Ongoing Nature of DPIAs: Article 35(11) requires controllers to review whether processing is performed in accordance with the DPIA at least when there is a change in risk. If an exam question asks about updating a DPIA, the answer relates to changes in the risk profile of the processing.

Tip 10 — Process of Elimination in Multiple Choice: If a question asks what is NOT required in a DPIA, eliminate the four minimum contents of Article 35(7). The remaining option is likely the correct answer. Similarly, if asked about exceptions to the DPIA requirement, remember the legal basis exception in Article 35(10) and the whitelist concept in Article 35(5).

Tip 11 — Consultation with Data Subjects: Remember that Article 35(9) requires the controller to seek the views of data subjects where appropriate. This is not an absolute requirement. If a question presents a scenario where consulting data subjects would compromise security or commercial interests, the controller may justifiably choose not to consult them.

Tip 12 — Single DPIA for Similar Operations: Article 35(1) allows a single DPIA to address a set of similar processing operations that present similar high risks. This is a practical measure that examiners sometimes test.

Summary Table for Quick Revision

What: A structured assessment of processing operations' impact on data subject rights and freedoms
When: Prior to processing that is likely to result in high risk
Who carries it out: The controller
Who advises: The Data Protection Officer
Minimum contents: (1) Description of processing, (2) Necessity and proportionality, (3) Risk assessment, (4) Mitigation measures
Always required (Article 35(3)): (a) Systematic/extensive profiling with significant effects, (b) Large-scale special category/criminal data processing, (c) Large-scale systematic monitoring of public areas
Blacklists: Mandatory (Article 35(4))
Whitelists: Optional (Article 35(5))
If high risk remains: Prior consultation under Article 36
Fines for non-compliance: Up to €10 million or 2% of global annual turnover
Review: At least when the risk changes (Article 35(11))

Conclusion

Data Protection Impact Assessments are a foundational element of the GDPR's accountability framework. They require controllers to think critically about how their processing activities affect individuals, to document their analysis, and to take meaningful steps to mitigate identified risks. For the CIPP/E exam, mastering Article 35 means understanding not just the mechanics of DPIAs, but also their relationship with the broader GDPR framework — including the roles of the controller and DPO, the link to prior consultation, the criteria for identifying high risk, and the consequences of non-compliance. By internalising the tips and principles outlined in this guide, you will be well-prepared to tackle any DPIA-related question that appears on the exam.