The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:
- Processing carried out under guidelines previously established or authorized by the DPA
- Processing carried out under the guidelines of an approved code of conduct
- Processing necessary to comply with a legal requirement or to complete a mission in the public interest
- Processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties (e.g. physicians, healthcare professionals, or lawyers)
- Processing carried out in relation to the internal administration of personnel working at SMEs (e.g. accounting, HR management, payroll management)
- Processing carried out by owners’ associations and sub-associations in multi-occupancy properties
- Processing carried out by professional colleges and non-profit associations in connection with the data of their associates members and donors of the data controllers, provided that the processing does not extend to special category data.