BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 10 November 2025

DPIA — Data Protection Impact Assessment: when is it required, and when can you skip it?

A DPIA sounds like something only large enterprises need to worry about. For SMBs it's rarely required — but there are a handful of specific situations where it is. Here's the decision tree.

A DPIA is a structured risk analysis for processing activities that carry a high privacy risk. The Dutch Data Protection Authority (AP) publishes a list of situations in which a DPIA is mandatory.

\n\n

When is it mandatory?

\n
    \n
  • Large-scale processing of "special categories" of data (medical data, ethnic origin, religion).
    • \n
  • Systematic monitoring of publicly accessible areas (CCTV at a central location).
    • \n
  • Profiling with legal consequences for individuals (automated decision-making).
    • \n
  • Biometrics used for identification (fingerprint lock, facial recognition).
    • \n
  • Large-scale location tracking.
    • \n
  • Combining personal data from different sources (data matching).
    • \n
\n\n

When is it probably not required?

\n
    \n
  • Standard HR administration.
    • \n
  • Standard customer CRM.
    • \n
  • Invoicing.
    • \n
  • Newsletter with explicit consent.
    • \n
\n\n

How do you carry out a DPIA?

\n
    \n
  1. Description of the processing activity: why, how, and what data.
    2. \n
  2. Assessment of necessity and proportionality.
    3. \n
  3. Risk identification for the individuals involved.
    4. \n
  4. Measures to mitigate the risks.
    5. \n
  5. Residual risk and final assessment.
    6. \n
\n\n

Who should you consult?

\n
    \n
  • Your Data Protection Officer (DPO), if one is in place.
    • \n
  • The individuals concerned (employee representatives for HR-related processing).
    • \n
  • Management signs off on the outcome.
    • \n
\n\n

Prior consultation with the AP

\n

If a significant residual risk remains after the DPIA, you are required to consult the AP BEFORE starting the processing activity. Typical turnaround: 6–10 weeks.

\n\n

See also: GDPR pillar, risk management.

Onderwerpen

#avg #dpia #risico-analyse

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
AVG & privacy

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
← Alle artikelen in "AVG & privacy"