Take-Aways (AI)
[Updated 19 September 2018] - Several European authorities have published positive (blacklist) and negative (white list) lists on the obligation to carry out data protection impact assessments (DPIAs).
- Germany (several countries) and the Data Protection Conference primarily published blacklists on 25.5.2018 and 25.7.2018 respectively.
- Austria published a white list on 25.5.2018; Belgium, Poland and other countries have also provided lists.
- Blacklists are often binding for public authorities; whitelists may be voluntary for public authorities (Art. 35 (4) and (5) GDPR).
To date, the following positive and negative lists on data protection impact assessments (DSFA) (both concretize the obligation to provide a DSFA based on Art. 35 Para. 4 (positive lists, black list; probably mandatory for authorities) and Para. 5 (negative list, white list; probably voluntary for authorities)):
| Authority | Date | Type | Link |
| Belgium | 28.2.2018 | black/white | https://goo.gl/bSa1Mr |
| Germany / Baden-Wuerttemberg | 25.5.2018 | black | https://goo.gl/UjjECY |
| Germany / Saarland | 25.5.2018 | black | https://goo.gl/pCDqfz (same as Baden-Württemberg, but with two additional cases) |
| Germany / Schleswig-Holstein | 25.5.2018 | black | https://goo.gl/81Yoa9 (same as Baden-Württemberg, but with one additional case; not identical to the additional cases in Saarland). |
| Germany / Rhineland-Palatinate | 25.5.2018 | black – for public use only | https://goo.gl/wSWJsZ |
| Germany (Data Protection Conference, DSK) | 25.7.2018 | black | https://goo.gl/nN3eCt |
| Austria | 25.5.2018 | white | https://bit.ly/2l50aqU |
| Poland | undated | black | Polish: https://giodo.gov.pl/pl/file/13366
English translation by Kobylańska & Lewoszewski: https://goo.gl/36bnBM |