Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Norwegian DPA publishes list of processing activities with mandatory DPIA


Under Article 35 of the GDPR, the national Data Processing Authority (DPA) shall establish and make public a list of processing operations which are subject to the requirement for a DPIA. The Norwegian DPA recently published a list of processing activities that the Norwegian DPA considers likely to result in a high risk to the rights and freedoms of data subjects, and which will therefore always require the controller to carry out a DPIA. The Norwegian DPA's list is based on the Working Party 29's analysis in the Guidelines on DPIA (WP 248).

The DPA's list shall not be considered as exhaustive, in that a processing activity may require a DPIA even if the activity is not listed. However, if the activity falls within the description in the list, the controller has an obligation to carry out a DPIA before the processing activity is started.

Under the WP 29 Guidelines, a processing activity will normally be subject to a DPIA if the activity combines two or more of the following criteria: Evaluation or scoring, automated decision-making with legal or similar significant effect, systematic monitoring, sensitive data or data of a highly personal nature, data processed on a large scale, matching or combining datasets, data concerning vulnerable data subjects, and innovative use or applying new technological or organisational solutions.

The Norwegian DPA has identified a number of cases where two or more of these criteria are combined, and which will therefore always require a DPIA under Norwegian law:

  • Collecting and combining data from third party sources for the purpose of deciding whether the data subject will be offered a certain service: An example here would be collection of data from the data subject's social media profile for the purpose of deciding whether the data subject will be offered a job or an insurance policy. 
  • Processing of biometric data for identification purposes on a large scale: An example would be processing of fingerprints or iris scans for the purpose of airport check-ins
  • Processing of genetic data on a large scale: For example gene sequencing
  • Processing of personal data using innovative technology in conjunction with another criterion, for example processing of sensitive data. Processing of personal data for use with health tech devises would be a relevant example.
  • Processing of personal data involving measures for systematic monitoring of employee activity: Monitoring of employees using camera surveillance or monitoring of employee's Internet activities would be a relevant example here.
  • Processing of personal data without consent for historical purpose in connection with another criterion: Medical research on existing patient data without obtaining a new consent from each patient would be an example of processing which will always require a DPIA.
  • Processing of location data in connection with one other criterion: For example, processing of location or traffic data generated through the use of a mobile phone, which is carried out in a systematic manner, would fall within the scope of this provision.
  • Processing of personal data for the purpose of evaluating learning or social environment in schools or kindergartens – this will require a DPIA.
  • Systematic monitoring on a large scale in areas accessible by the public: For example, camera surveillance in a public area in the town centre.
  • Camera surveillance in schools or kindergartens during opening hours
  • Processing of sensitive or highly personal data on a large scale for training of algorithms
  • Processing of personal data to systematically monitor proficiency, skills, scores, mental health or development
  • Processing of personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behaviour, location or route: An example would be the use of scoring software for the purpose of evaluating different applicants in connection with an employment process.
  • Collection of personal data through the use of "internet of things" solutions or welfare technology solutions.

Presumably, even though the examples described above apply under Norwegian national law, they will also be relevant when applying the GDPR rules and the national requirements for DPIAs in other EU/EEA countries.

The Norwegian DPA's document is available in English on the DPA's web site: 


Article provided by: Øystein Flagstad, advokatfirmaet GjessingReimers AS


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.