Risks and data protection impact assessments

 Any processing of personal data involves risk. Processing is any activity performed with personal data, including collection, conversion, use and disposal. The risk arises from the likelihood of negative events occurring with personal data, such as theft, removal, alteration, or deletion.

Those who carry out the processing of personal data must clearly identify the risks they face, to mitigate, manage or assume them, through the adoption of different security measures. Risk identification can be done through risk analysis, which will help identify high-risk treatments. On the other hand, the data protection impact assessment (hereinafter the “DPIA“) will make it possible to evaluate possible violations of rights and the mechanisms to reduce them.

The Organic Law for the Protection of Personal Data (hereinafter the “LOPDP”)[1] established the obligation to have a risk methodology and to carry out a DPIA, the purpose of which is to foresee the impacts and risks to the privacy of data subjects. Therefore, the LOPDP requires the implementation of security and control measures to guarantee the rights and freedoms of individuals.[2]

I. What is a DPIA?

The Regulation to the LOPDP[3] (hereinafter the “Regulation”), in accordance with the Article 29 Working Party’s[4] statement on the DPIA, defines impact assessment as a “[…] preventive analysis, of a technical nature, whereby the controller assesses the actual impacts of data processing, in order to identify and mitigate potential risks […]”[5].

II. How do I know if a DPIA should be done?

According to the LOPDP, the DPIA is mandatory when the data processing “entails a high risk to the rights and freedoms of the data subject”. Article 42 of the LOPDP provides some examples of when data processing may generate high risks:

1. Systematic and comprehensive evaluation of personal aspects of natural persons, which is based on automated processing (such as profiling) and on the basis of which decisions are made that produce legal effects for such persons.

For example, a financial institution that researches its customers in a credit reference database; or a computer program that uses the behavioral history of persons deprived of liberty to automatically determine whether they will be granted parole[6].

2. Large-scale processing of the special categories of data referred to in Article 25 of the LOPDP, or of personal data relating to criminal convictions and offences.

Large-scale processing involves a large amount of data and many data subjects from a wide geographic diversity[7]. Article 4 of the Regulation provides some examples of large-scale treatments:

  • Patient data from hospitals and healthcare institutions.
  • Data on the movement of individuals using public transportation.
  • Real-time geolocation data.
  • Data from customers from insurance companies or financial institutions.
  • Data for behavioral advertising by a search engine.
  • Data of content, traffic, and location data by telecommunications or internet service providers.

3. Systematic monitoring of a publicly accessible area on a large scale

This type of observation[8] is a criterion for determining high risk, because personal data may be collected in circumstances where data subjects may not be aware of who is collecting their data and how it will be used. In addition, it may be impossible for individuals to avoid being subjected to this type of processing in public spaces (or publicly accessible spaces). As an example, a camera placed on a public road to record and monitor the behavior of drivers is noted.

From these examples, it must be assessed whether a processing of personal data is likely to generate a high risk. This is particularly important since failure to execute the DPIA when it is mandatory as determined by the LOPDP and the Regulation could constitute a serious infringement of the LOPDP and result in a fine of between 0.7% and 1% of the revenue for the financial year immediately preceding the financial year in which the fine is imposed.

III. What should be included in a DPIA?

The DPIA should be carried out prior to the start of personal data processing activities. Therefore, companies, as data controllers, should prepare their DPIA before and during the initial planning of their new projects. In Article 32 of the Regulation, in line with international experience[9], it is determined that the DPIA must be submitted to the data protection authority and that it must contain the following points:

1. Description of the operations and purposes of processing.

2. Reasoning for the necessity to carry out the processing.

3. Risk assessment to the rights of the data subjects; and,

4. Security measures to address the risks.

The DPIA must be a systematic process that applies objective, repeatable, and comparable methodologies and methods of execution; consequently, a DPIA must be structured in different phases. The LOPDP determines as one of the obligations of those responsible for the processing of personal data to use appropriate methodologies for the analysis and management of risks.

In summary, the LOPDP and the Regulation establish certain examples and criteria to determine in which cases a DPIA must be carried out on a mandatory basis. However, we will have to wait for the actions of the Data Protection Superintendency, whose head is not yet named, to know the interpretation and development of the concepts in the practical application of the LOPDP and the Regulation.


[1] The LOPDP entered into force on May 26, 2021, and its sanctioning regime is fully applicable as of May 26, 2023.

[2] The DPIA process is not new in Comparative Law, in the EU it is established in the General Data Protection Regulation. It is also contemplated in the legal systems of Australia, Mexico, Canada, Japan, South Africa, South Korea, the United States and New Zealand, among others.

[3] Issued by Executive Decree 904 of November 6, 2023.

[4] Article 29 Working Party. (2017). Guidelines on data protection impact assessment. https://www.aepd.es/sites/default/files/2019-09/wp248rev01-es.pdf

[5] Article 29 of the Regulation.

[6] Spanish Data Protection Agency (2021). Risk management and impact assessment in personal data processing. https://www.aepd.es/es/documento/gestion-riesgo-y-evaluacion-impacto-en-tratamientos-datos-personales.pdf

[7] Article 29 of the Regulation.

[8] The Regulations interpret “systematic” to mean one or more of the following:

  • pre-established, organized or methodical;
  • taking place as part of an overall data collection plan;
  • carried out as part of a strategy.

[9] Guidelines on Data Protection Impact Assessment of the Article 29 Working Group, Data Protection Impact Assessment Guide of the Argentine Data Protection Authority, and, Guide for the Preparation of Privacy Impact Assessments of the National Institute of Transparency, Access to Information and Protection of Personal Data.


Christian Razza
Associate at  CorralRosales

Rafael Serrano
Partner at CorralRosales