The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:

  • Processing carried out under guidelines previously established or authorized by the DPA
  • Processing carried out under the guidelines of an approved code of conduct
  • Processing necessary to comply with a legal requirement or to complete a mission in the public interest
  • Processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties (e.g. physicians, healthcare professionals, or lawyers)
  • Processing carried out in relation to the internal administration of personnel working at SMEs (e.g. accounting, HR management, payroll management)
  • Processing carried out by owners’ associations and sub-associations in multi-occupancy properties
  • Processing carried out by professional colleges and non-profit associations in connection with the data of their associates members and donors of the data controllers, provided that the processing does not extend to special category data.

Details from the AEPD.