What are high-risk operations?

On this page: high-risk, large risk, dpia, assessment, mandatory
Date of last review: 2023-04-18

The GDPR requires a Data Protection Impact Assessment (DPIA) to be conducted when the risks in your project are high, considering “the nature, scope, context and purposes” of your project (art. 35(1)). More practically, you need to do a DPIA when two or more of the criteria from the European Data Protection Board apply to your project, or – if the processing occurs in the Netherlands - when one or more of the criteria from the Dutch Data Protection Authority (English UU translation) applies to your project.

Examples of high-risk scenarios

You systematically use automated decision making in your project (art. 35(3))

For example:

  • You use an algorithm to analyse health records and predict patients’ risk of complications.
  • You use an algorithm to analyse students’ test scores and learning patterns, to make personalised recommendations for coursework or additional resources.
  • You use an algorithm to detect fraudulent activity.
You process special categories of personal data or criminal offense data on a large scale (art. 35(3))

For example:

  • You amplify bodily materials into pluripotent stem cells, cell lines, germ cells or embryos (see the Dutch Code of Conduct for health research, 2022).
  • You analyse social media data to study political opinions and religious beliefs.
  • You investigate criminal records from all currently incarcerated individuals (note that such a project is likely subject to additional restrictions).
You publicly monitor people on a large scale (art. 35(3))

For example:

  • You use traffic data and GPS devices to monitor people’s behaviour in traffic.
  • You use CCTV footage to study public safety.
You collect a lot of personal data, or from a large group of people (EDPB, 2017)

For example:

  • You collect data on psychosocial development in twins annually for over a decade.
  • You collect genomic data to study the genetic basis of a specific disease.
  • You keep a database with contact information from thousands of people.
You use new techniques or methods for which the effects on data subjects or others are not yet known (EDPB, 2017)

For example:

  • Machine learning algorithms.
  • Internet of Things.
  • Virtual or Augmented Reality.
  • Natural Language Processing.
  • Human-computer interaction.
Your research involves groups that are vulnerable or touches a vulnerable topic (EDPB, 2017)

For example:

  • You perform video interviews with children talking about abuse.
  • You interview refugees about their home country.
  • You perform in-depth interviews with employees about their job satisfaction.
  • You perform a diary study among mentally ill patients.
  • You collect data from homosexual individuals in a country where homosexuality is forbidden or can lead to discrimination.
  • You perform research among a population with (severe) distrust towards scientific research(ers) or who have difficulty understanding your research.
There is a high chance of incidental findings in your research (Dutch Code of Conduct for health research, 2022)

For example:

  • You collect neuroimaging data from patients who likely have a brain tumour.
  • You investigate genetic data from vulnerable subjects that indicates a risk for disease.

When you suspect that you may need a DPIA, or when you are not certain whether your project needs one, please contact your privacy officer.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

Privacy policy | Cite the Data Privacy Handbook