What is a DPIA — and when must one exist about you?

A Data Protection Impact Assessment is the mandatory risk study before high-risk processing — workplace monitoring, large-scale tracking, biometrics. “Show me the DPIA” is a question that stops meetings.

A DPIA (Art. 35) is a documented assessment — what data, what risks to the people affected, what safeguards — required before starting processing “likely to result in high risk”. Triggers: systematic large-scale monitoring (employee surveillance, city CCTV networks), large-scale special-category processing (health platforms, biometric systems), systematic profiling feeding significant decisions, and the items on each DPA’s published must-DPIA list. Residual high risk that safeguards cannot fix forces prior consultation with the DPA (Art. 36) — a real brake. Why this matters to you personally: the DPIA is where an organisation was legally forced to think about you before deploying the tool watching you. An employer rolling out monitoring software, a school adopting an AI proctoring tool, a landlord’s biometric entry system — each almost certainly required one. Asking “please share the DPIA, or confirm none exists” is devastating either way: existing DPIAs reveal what they knew about the risks; a missing one is an Art. 35 violation to hand the DPA or the works council. No statutory right forces full disclosure to you — but refusal to even confirm one exists tells its own story, and works councils and DPAs can demand it.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority