Skip to ContentSkip to Navigation
Research Research Data Management Data Protection & GDPR Data Privacy Impact Assessment

High risk processing

For the GDPR a DPIA is mandatory in case of high risks processing. The University of Groningen defined a DPIA protocol that states in which case the DPIA is requested (work in progress). The DPIA protocol also applies for research project.

The European Data Protection Supervisor identified nine possible processing “likely to result in a high risk” [1]. However, the application of these criteria on a research project is not always straightforward.

In the research context, the European Commission for Research and Innovation defined a list of indicators of data processing operations that may entail higher ethics risks [2].

The table below may help you to think about risks in the context of a research project. Information extracted from [2].

Types of personal data (special categories of data)
  • racial or ethnic origin
  • political opinions, religious or philosophical beliefs
  • genetic, biometric or health data
  • sex life or sexual orientation
  • trade union membership
Data subjects
  • children
  • vulnerable people
  • people who have not given their explicit consent to participate in the project
Scale or complexity of data processing
  • large-scale processing of personal data
  • systematic monitoring of a publicly accessible area on a large scale
  • involvement of multiple datasets and/or service providers, or the combination and analysis of different datasets (i.e. big data)
Data-collection or processing techniques
  • privacy-invasive methods or technologies (e.g. the covert observation, surveillance, tracking or deception of individuals)
  • using camera systems to monitor behaviour or record sensitive information
  • data mining (including data collected from social media networks), ‘web crawling’ or social network analysis
  • profiling individuals or groups (particularly behavioural or psychological profiling)
  • using artificial intelligence to analyse personal data
  • using automated decision-making that has a significant impact on the data subject(s)
Involvement of non-EU countries
  • transfer of personal data to non-EU countries
  • collection of personal data outside the EU

[1] Article 29 Data Protection Working Party, ”Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for the purposes of Regulation 2016/679”.

[2] European Commission, Ethics and data protection, Nov. 2018.

Last modified:08 May 2019 4.15 p.m.