We’ve done a blog on the DPIA test in EU GDPR and, in particular, the EDPB Guidelines’ famous 9 Criteria to consider under EU GDPR when deciding whether a DPIA is required.
But the Guidelines didn’t stop there – they helpfully gave 9 Worked Examples of when you need to do a DPIA – so we’ve set them out here and, again, we’ve a great infographic for you!
Again, the EDPB Guidelines are very relevant to UK GDPR – they’re even expressly incorporated into the UK ICO’s guidance on when to do a DPIA. (As you’ll see in our blog on UK GDPR and the UK ICO’s own 10 DPIA Criteria.)
Let’s dive into the EDPB’s 9 Worked Examples of when you need to do a DPIA!
The EDPB’s 9 Worked Examples on DPIAs
The 9 Worked Examples apply the 9 Criteria. We’ve set those examples out below plus our lovely infographic.
As we saw in our blog on the criteria, the EDPB also give 3 tips on how to apply the 9 Criteria:
- ‘In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out.’
- ‘In general, the [EDPB] considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and
therefore to require a DPIA, regardless of the measures which the controller envisages to adopt.’
- ‘However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA.’

The EDPB’s 9 DPIA Worked Examples Keepabl Infographic
Worked Example #1: Hospital processing its patients’ genetic and health data
DPIA Needed? Yes
Criteria Engaged:
- #4 Sensitive or highly personal data
- #5 Large scale
- #7 Vulnerable data subjects
Worked Example #2: Individual physician, other health care professional or lawyer, processing personal data from patients or clients
DPIA Needed? No
Criteria Engaged:
- #4 Sensitive or highly personal data
- #7 Vulnerable data subjects
Worked Example #3: Camera system monitoring driving behaviour, analysing videos to single out cars
DPIA Needed? Yes
Criteria Engaged:
- #3 Systematic monitoring
- #8 Innovation & new technology
Worked Example #4: Company systematically monitoring employees’ activities, work stations, internet activity etc
DPIA Needed? Yes
Criteria Engaged:
- #3 Systematic monitoring
- #7 Vulnerable data subjects
Worked Example #5: Gathering public social media data for generating profiles
DPIA Needed? Yes
Criteria Engaged:
- #1 Evaluation or scoring
- #4 Sensitive or highly personal data
- #5 Large scale
- #6 Matching or combining datasets
Worked Example #6: Institution creating a national level credit rating or fraud database
DPIA Needed? Yes
Criteria Engaged:
- #1 Evaluation or scoring
- #2 ADM + legal or similar effect
- #4 Sensitive or highly personal data
- #9 Prevent rights or use of service
Worked Example #7: Archiving pseudonymised sensitive data on vulnerable data subjects of research projects or clinical trials
DPIA Needed? Yes
Criteria Engaged:
- #4 Sensitive or highly personal data
- #7 Vulnerable data subjects
- #9 Prevent rights or use of service
Worked Example #8: Online magazine using mailing list to send generic daily digest to subscribers
DPIA Needed? No
Criteria Engaged:
Worked Example #9: E-Commerce site displaying ads for vintage car parts involving limited profiling based on items viewed or purchased on its site
DPIA Needed? No
Criteria Engaged:
We trust this summary, and the infographic, are helpful to you in getting the job done on Privacy Governance at your organisation. Do read the full Guidelines. And do find out how easy we make managing Assessments in Keepabl.
Make your Assessments work in Keepabl
Arrange your demo to see how easy we can make managing Assessments for your organisation and get your two-week, no strings attached, FREE TRIAL of Keepabl!
And don’t just take our word for it… See how much our customers love us in our customer case studies!