The General Data Protection Regulation (GDPR), on its article 35.1, states that the organizations are required to carry out an impact assessment when it is probable that the processing of personal data, depending on their nature, scope, context or purposes, entail a high risk for the rights and freedoms of people.
The Spanish Data Protection Authority (AEPD) has published the list of personal data processing activities in which it is not mandatory to perform an impact assessment, thus complying with the provisions of section 5 of the same legal provision, according to which control authorities may publish the list of types of processing that do not require an impact assessment. It is available on the following link: https://www.aepd.es/media/guias/ListasDPIA-35.5l.pdf.
In addition, as required by the GDPR, the AEPD has communicated this list to the European Data Protection Committee.
Previously, the AEPD had published another list with those processing activities in which it is mandatory to carry out an impact assessment. It is available on the following link: https://www.aepd.es/media/criterios/listas-dpia-es-35-4.pdf
