A DPIA is a risk-inventory assessment. In Dutch a gegevensbeschermingseffectbeoordeling (GBEB). A DPIA is sometimes recommended and in some situations it is required by law (GDPR Art. 35). This is the case when there is a possibility of a high risk to the ‘rights and freedoms’ of data subjects. According to the GDPR, such a ‘high risk’ is considered to be present if:

• you are making automated, impactful decisions regarding people based on personal data, including processes such as profiling, or
• you are processing special categories of personal data or criminal data on a large scale, or
• you observe people in public spaces on a large scale (such as with the use of security cameras).