The Regulation states that this must be done when it is probable that a processing operation poses a high risk to people. It does not specify what a high risk is, but says aspects such as the use of new technologies, as well as the nature, scope, context and purpose of the processing should be considered.
In particular, the Regulation requires that a DPIA be carried out in the following 3 cases:
In addition, it requires each data protection authority to publish a list of processing operations that require a DPIA. In the case of the Catalan Data Protection Authority, this list can be consulted here. For organisations under the jurisdiction of the Spanish Data Protection Authority, the list can be consulted here here
An impact assessment may also need to be carried out as a result of the extra guarantees required by the Regulation for archiving purposes in the public interest, statistics or scientific or historical research, if so determined by the legislation of the Member State (the LOPDGDD, in our case).
On the other hand, the Regulation specifies that impact assessments are not required for processing operations based on a legal obligation or for the performance of a task carried out in the public interest, where there is a law of the Member State or of the Union governing this and the impact assessment has been carried out in the process of passing this law.
If in doubt, it is advisable to perform the impact assessment, especially in the case of the most complex processing operations.