Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

List of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”)


The CNPD (Portuguese Data Protection National Commission), as the Portuguese supervisory authority, has approved Regulation nr. 1/2018 (“Regulation”), pursuant to Articles 35, no. 4 and 57, no. 1, k) of the General Data Protection Regulation (“GDPR”), that provides a list of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”).

Through this Regulation, the CNPD clarifies which situations, in addition to those already foreseen in Article 35, nr. 3 of the GDPR, in which, prior to the processing of personal data, the Controller shall carry out a DPIA.

A DPIA is a process that must be undertaken by the Controller, being mandatory only in some situations. Its purpose is to mitigate the risks associated with the processing of data within the scope of new projects, systems, plans, proposals, strategies or policies.

The list presented in the Regulation is not exhaustive and is based on the public consultation, conducted by the CNPD, as well as the recommendations contained in Opinion nr. 18/2018 of the ECDC (European Data Protection Committee).

In short, according to Regulation no. 1/2018, in addition to the situations already defined in the GDPR, the processing of data must be preceded by a DPIA, when said processing:

  1. Involves the transmission by electronic devices of personal health data;
  2. Involves profiling on a large scale;
  3. Enables the location or behavior tracking of data subjects – such as employees or clients – and that allows the Controller to evaluate or classify said data subjects;
  4. Involves the processing of biometric data for unambiguous identification of their holders;
  5. Involves the processing of genetic data of vulnerable people;
  6. Is included in Article 9, nr. 1 or Article 10 of the GDPR or has a “highly personal nature”:

    1. With the use of particular technologies or carrying out particular types of processing operation;
    2. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
    3. That results in an interconnection of personal data;
    4. Based on indirect collection, where it is not possible to ensure the right of information. 

Lastly, concepts such as "data of highly personal nature", "data processed on a large-scale ", "the processing of genetic data" or "particular technologies" should be interpreted in accordance with what is provided for in the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” - WP248 rev.01, approved by the Article 29 Data Protection Working Party.


Article provided by: Ricardo Henriques (Portugal)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.