---
title: "When does the EU GDPR require a DPIA?"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold"
author: "Sorena AI"
description: "Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR DPIA"
  - "Article 35"
  - "data protection impact assessment"
  - "high-risk processing"
  - "GDPR"
  - "DPIA"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# When does the EU GDPR require a DPIA?

Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.

*FAQ* *EU GDPR*

## When does the EU GDPR require a DPIA?

A DPIA is required before processing when the planned operation is likely to result in a high risk to people, taking account of the nature, scope, context, purposes, and use of new technologies.

Use this answer to check Article 35(3) trigger cases, WP29 high-risk criteria, supervisory-authority list references, and the minimum contents of the DPIA record.

Under EU GDPR Article 35, the controller must carry out a data protection impact assessment before processing where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The threshold check should be made per processing operation, before launch, and should leave enough evidence to explain why a DPIA was required, not required, or reused from a similar high-risk assessment.

## Short answer: when is a DPIA mandatory under EU GDPR Article 35?

A DPIA is mandatory when the planned processing is likely to result in a high risk to individuals. Article 35 says the controller must assess the impact before the processing starts, especially where new technologies are used and the nature, scope, context, and purposes of the operation make the risk high.

Article 35(3) gives three cases where a DPIA is required in particular: systematic and extensive automated evaluation, including profiling, that produces legal or similarly significant effects; large-scale processing of special-category data or criminal-offence data; and large-scale systematic monitoring of a publicly accessible area.

- Treat the controller as accountable for the DPIA threshold decision, even where a processor or vendor provides inputs.
- Run the threshold check before launch and again when the risk represented by the processing changes.
- Use one DPIA for a set of similar processing operations only where they present similar high risks.
- If the assessment shows residual high risk without measures to mitigate it, escalate to prior consultation under Article 36.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35 sets the core DPIA threshold, timing, Article 35(3) trigger examples, review duty, and minimum DPIA content.
- [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance explains Article 35 DPIA triggers, WP29 high-risk criteria, reuse of similar DPIAs, lifecycle timing, and documentation expectations.

## How should the high-risk threshold be checked?

Start with the three Article 35(3) cases, then test the broader high-risk criteria described in DPIA guidance: evaluation or scoring, automated decisions with legal or similar significant effects, systematic monitoring, sensitive or criminal-offence data, large scale, matched or combined datasets, vulnerable people, innovative technology, cross-border transfers outside the EU, and processing that prevents people from exercising a right or using a service or contract.

The DPC guidance reports the WP29 rule of thumb: the more criteria a processing operation meets, the more likely it is to require a DPIA; operations meeting at least two criteria will require a DPIA, and a controller that decides otherwise should thoroughly document why the processing is not likely to be high risk.

- Describe the processing operation, not just the product name or vendor system.
- Record which Article 35(3) case or high-risk criteria are present, absent, or uncertain.
- For large-scale processing, document the number or proportion of people affected, data volume and variety, duration or permanence, and geographic extent.
- Check whether data subjects include children, employees, patients, asylum seekers, elderly people, or another group with a power imbalance or special vulnerability.
- Escalate borderline cases where multiple criteria are present, the technology is novel, or people cannot reasonably avoid the processing.

Sources for this answer:

- [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance lists high-risk criteria from the Article 29 Working Party DPIA guidance, including scale factors and the two-criteria rule of thumb.
- [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(3) names three processing cases where a DPIA is required in particular.

## How should supervisory-authority list references be used?

Article 35(4) requires each supervisory authority to establish and publish a list of processing operations that are subject to the DPIA requirement, and Article 35(5) allows a supervisory authority to publish a list of operations for which no DPIA is required. Use those lists as a jurisdiction-specific check only where the relevant list is actually available and applicable to the processing operation.

Do not treat a general guidance page, sector label, vendor statement, or non-applicable national list as an exemption. If a no-DPIA list is used, the decision should explain why the processing falls strictly within the listed procedure and continues to meet the relevant requirements.

- Identify the competent supervisory authority before relying on a DPIA-required or no-DPIA list.
- Record the list entry, the processing facts that match it, and any conditions or limits stated in the list.
- Where processing involves several Member States or behavioural monitoring across Member States, flag that Article 35 list issues may involve GDPR consistency-mechanism considerations.
- If the folder does not ground a specific national list entry, leave the page at Article 35 list mechanics rather than naming that entry.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(4) and 35(5) require or permit supervisory-authority lists for processing operations that do or do not require a DPIA.
- [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance explains that a no-DPIA list applies only where the processing falls strictly within the listed procedure and requirements.

## What must the DPIA contain once the threshold is met?

If the threshold is met, Article 35(7) requires the DPIA to contain at least four elements: a systematic description of the envisaged processing and purposes, an assessment of necessity and proportionality, an assessment of risks to data subjects' rights and freedoms, and the measures envisaged to address those risks and demonstrate GDPR compliance.

CNIL's PIA methodology maps those elements into practical records: context and processing description; fundamental-principles analysis covering purpose, lawfulness, minimization, storage, information, rights, processors, and transfers; privacy-risk analysis; and formal validation involving DPO advice and, where appropriate, views of data subjects or their representatives.

- Keep the nature, scope, context, purposes, personal data, recipients, retention periods, functional description, and supporting assets in the DPIA file.
- Document necessity and proportionality against the purpose, lawful basis, data minimization, storage limits, transparency, data-subject rights, processor controls, and transfer safeguards.
- Assess risk from the perspective of affected individuals, including severity, likelihood, risk sources, and impacts such as illegitimate access, unwanted change, or disappearance of data.
- Record safeguards, security measures, corrective actions, residual risk, DPO advice where a DPO is designated, and views of data subjects or representatives where appropriate.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(7) defines the minimum contents of a GDPR DPIA.
- [CNIL Privacy Impact Assessment methodology](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL's methodology and templates provide grounded DPIA record categories that map to Article 35(7), DPO advice, and data-subject views.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35 grounds the DPIA threshold, Article 35(3) examples, supervisory-authority list mechanics, DPO and data-subject involvement, review duty, and minimum DPIA contents.
  - Quote: "likely to result in a high risk"
- [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance grounds practical threshold criteria, large-scale factors, rule-of-thumb documentation, lifecycle timing, and no-DPIA list cautions.
  - Quote: "processing operations which meet at least two of these criteria will require a DPIA"
- [CNIL Privacy Impact Assessment methodology](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL's PIA methodology and templates ground the recommended DPIA record structure for context, necessity and proportionality, risk treatment, stakeholder involvement, and validation.
  - Quote: "A systematic description of the processing is provided"

## Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.

*Recommended next step*

*Placement: before sources*

## Use this EU GDPR FAQ as a cited DPIA threshold checklist

Sorena can turn the Article 35 threshold, high-risk criteria, list checks, and DPIA content requirements into cited owner prompts and evidence requests for GDPR reviews.

- [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about Article 35 DPIA thresholds, high-risk criteria, and DPIA evidence using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your DPIA threshold workflow, source gaps, and evidence structure with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold