Data protection impact assessment

The obligation to carry out a Data Protection Impact Assessment (DPIA) is provided for in Article 35 (1) of the GDPR.

A DPIA is carried out by the data controller when the processing operations are likely to result in a high risk to the rights and freedoms of natural persons, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing. Indicative kinds of high risk processing operations are referred to in Article 35 (3) of the GDPR (see rec.91 of the GDPR).

The Hellenic Data Protection Authority (HDPA) established, on the basis of Article 35 (4) of the GDPR, a draft list of the kinds of processing operations which are subject to the requirement for a DPIA. Before adopting the aforementioned DPIA list, the HDPA, in accordance with Article 35 (6), applied the consistency mechanism referred to in Article 63 by communicating the draft list to the European Data Protection Board (EDPB).

The EDPB, at its plenary session of the 25th of September 2018, issued, on the basis of Article 64 (1) of the GDPR, the Opinion 7/2018[1] regarding the HDPA’s draft DPIA list.

The HDPA, with its decision 65/2018, decided, in accordance with Article 64 (7) of the GDPR, to amend the DPIA list based on the recommendations included in Opinion 7/2018 of the EDPB and communicate the list to the EDPB.

The decision 65/2018 has been published in Government Gazette, Series II, No 1622/10-5-2019 (available only in Greek).


The HDPA’s DPIA list is based on Article 35 of the GDPR, in particular paragraphs 1 and 3 thereof and the Guidelines for the DPIA (WP248[2]), which it complements and further specifies.

As this list is not exhaustive both the obligation to carry out a DPIA -in every case where the conditions of Article 35 (1) of the GDPR are met- and the general obligation of the controller to comply with all the obligations deriving from the GDPR continue to hold.

Please select the Greek or English version of the HDPA’s DPIA list.

Please select the Greek or English version of the guidelines for the DPIA (WP248).


The assessment contains at least the following (Article 35 (7) of the GDPR):

  • systematic description of the processing operations and the purposes of the processing;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the rights and freedoms of data subjects;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

To check the Data Protection Impact Assessment (DPIA) in relation to the necessary formality criteria to assess whether it is sufficiently comprehensive/acceptable, based on article 35 par. 2 and 7 − 9 of the GDPR and the guidelines WP248, click here.


It should be pointed out that the above criteria do not assess the correctness or effectiveness of the DPIA, but constitute the necessary formalities that must be included in the DPIA.

It is not necessary to carry out a DPIA for processing operations for which an authorization to establish and operate the relevant file containing sensitive personal data has been granted under Article 7 of Law 2472/1997, provided that such authorization is in force and there has been no change which may result in a high risk to the rights and freedoms of data subjects, taking into account the nature, scope, context and purposes of the processing (WP248).

It is not necessary to carry out a DPIA where the processing operation pursuant to Article 6 (1) (c) or (e) has a legal basis in EU or member state law where that law regulates the specific processing operation, and a DPIA has already been carried out as part of the establishment of that legal basis, except if it is deemed necessary to carry out such an assessment prior to processing activities (Article 35 (10), rec.93 of the GDPR).

[1] Opinion 7/2018 of the EDPB is available on: https: //

[2] To provide a coherent interpretation of the processing operations requiring a DPIA due to the high risk involved, the Article 29 Working Party issued the ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679‘ (WP248) adopted by the EDPB at its first plenary session. According to these Guidelines, a DPIA is necessary, in most cases, where two of the criteria specified therein are fulfilled. In some cases, it is necessary to carry out a DPIA where one of these criteria is fulfilled.