When a project includes technologies or processes that use personal data. Incorrect. Only for
technologies and processes that are likely to result in a high risk to the rights of data subjects is the
DPIA mandatory.
When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing
operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to
design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)
When similar processing operations with comparable risks are repeated. Incorrect. This is a case in
which a DPIA does not need to be repeated.
