When a data processing poses specific risks, it is subject to a preliminary impact assessments (DPIA).

When it is likely that the processing, by its nature, its object or purposes, entails "high risks to the rights and freedoms" of the data subject, the data controller will have to carry out an ex ante evaluation of the impact that the processing may have from a data protection perspective: this is the so called Data Protection Impact Assessment (DPIA). The obligation laid down in Article 35 constitutes the manifestation of the accountability of the Controller (Articles 5.2 and 24) where, by means of a prior assessment, specific risks to the rights of the data subjects are encountered, caused by the usage of «new technologies, and taking into account the nature, scope, context and purposes of the processing».

Violation of the obligation for the Controller to carry out the data protection impact assessment (DPIA) is sanctioned with administrative fines of «up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (art. 83.4).

Regulation 2016/679 has given mandate to the individual national authority to identify the types of processing that require to carry out such an assessment (Article 35.4).