• The Ministry of Justice and Security Strategic Vendor Management Microsoft published a DPIA report diagnostic data processing in Microsoft Office 365 for the Web and mobile Office apps.
  • The Finnish Data Protection Authority imposed a fine on an organization for failing to do a data protection impact assessment (DPIA) before starting the data processing related to security camera surveillance, location data processing and automatic decision-making and profiling in the context of the loyalty program.
  • Finnish DPA imposed three administrative fines for data protection violations. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.
  • Finland DPA has imposed an administrative fine of €72,000 against taxi company Taksi Helsinki for data protection violations. Among other, the company failed to conduct the impact assessments required by GDPR before the start of processing.
  • The Norwegian Data Protection Authority imposed a fine on the Rælingen municipality for failure to do a DPIA before processing personal data in a digital learning platform.



  • EDPS: DPIA List for EU institutions.
  • CNIL: DPIA whitelist.
  • Irish DPC: Guide to Data Protection Impact Assessments for any processing that is ‘likely to result in a high risk to individuals’, including some specified types of processing.
  • Gibraltar: Data Protection Impact Assessment template.
  • Irish DPC: guidance for controllers and processors whose business activities may require them to carry out a Data Protection Impact Assessment.
  • EDPS: report on Data Protection Impact Assessment under Article 39 of the Regulation.
  • The Spanish DPA (Agencia Española de Protección de Datos – AEPD) has published an English template for data protection impact assessment report.
  • French CNIL: updated tool to conduct the DPIA. The open source PIA software facilitates the development and formalization of DPIA, as required by the GDPR.