The General Data Protection Regulation ("GDPR") provides that where a type of processing of personal data is likely to result in a "high risk" to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out a data protection impact assessment ("DPIA"). In this context, the GDPR commands national data protection authorities to establish and publish a list of the kind of processing operations that are subject to this requirement for a DPIA. With its deliberation 34/2019 of 6 March 2019, the Luxembourg Data Protection Authority ("CNPD") therefore published a list of processing operations requiring the prior performance of a DPIA specifying that such a list is not to be seen as exhaustive.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.