Skip to main content

Norwegian DPA publishes list of processing activities with mandatory DPIA


Under Article 35 of the GDPR, the national Data Processing Authority (DPA) shall establish and make public a list of processing operations which are subject to the requirement for a DPIA. The Norwegian DPA recently published a list of processing activities that the Norwegian DPA considers likely to result in a high risk to the rights and freedoms of data subjects, and which will therefore always require the controller to carry out a DPIA. The Norwegian DPA's list is based on the Working Party 29's analysis in the Guidelines on DPIA (WP 248).

The DPA's list shall not be considered as exhaustive, in that a processing activity may require a DPIA even if the activity is not listed. However, if the activity falls within the description in the list, the controller has an obligation to carry out a DPIA before the processing activity is started.

Under the WP 29 Guidelines, a processing activity will normally be subject to a DPIA if the activity combines two or more of the following criteria: Evaluation or scoring, automated decision-making with legal or similar significant effect, systematic monitoring, sensitive data or data of a highly personal nature, data processed on a large scale, matching or combining datasets, data concerning vulnerable data subjects, and innovative use or applying new technological or organisational solutions.

The Norwegian DPA has identified a number of cases where two or more of these criteria are combined, and which will therefore always require a DPIA under Norwegian law:

  • Collecting and combining data from third party sources for the purpose of deciding whether the data subject will be offered a certain service: An example here would be collection of data from the data subject's social media profile for the purpose of deciding whether the data subject will be offered a job or an insurance policy. 
  • Processing of biometric data for identification purposes on a large scale: An example would be processing of fingerprints or iris scans for the purpose of airport check-ins
  • Processing of genetic data on a large scale: For example gene sequencing
  • Processing of personal data using innovative technology in conjunction with another criterion, for example processing of sensitive data. Processing of personal data for use with health tech devises would be a relevant example.
  • Processing of personal data involving measures for systematic monitoring of employee activity: Monitoring of employees using camera surveillance or monitoring of employee's Internet activities would be a relevant example here.
  • Processing of personal data without consent for historical purpose in connection with another criterion: Medical research on existing patient data without obtaining a new consent from each patient would be an example of processing which will always require a DPIA.
  • Processing of location data in connection with one other criterion: For example, processing of location or traffic data generated through the use of a mobile phone, which is carried out in a systematic manner, would fall within the scope of this provision.
  • Processing of personal data for the purpose of evaluating learning or social environment in schools or kindergartens – this will require a DPIA.
  • Systematic monitoring on a large scale in areas accessible by the public: For example, camera surveillance in a public area in the town centre.
  • Camera surveillance in schools or kindergartens during opening hours
  • Processing of sensitive or highly personal data on a large scale for training of algorithms
  • Processing of personal data to systematically monitor proficiency, skills, scores, mental health or development
  • Processing of personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behaviour, location or route: An example would be the use of scoring software for the purpose of evaluating different applicants in connection with an employment process.
  • Collection of personal data through the use of "internet of things" solutions or welfare technology solutions.

Presumably, even though the examples described above apply under Norwegian national law, they will also be relevant when applying the GDPR rules and the national requirements for DPIAs in other EU/EEA countries.

The Norwegian DPA's document is available in English on the DPA's web site: 


Article provided by: Øystein Flagstad, advokatfirmaet GjessingReimers AS

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.