Mandatory Cases: DPIAs are required under the GDPR in certain cases where the data processing is likely to result in a high risk to the rights and freedoms of individuals. This includes processing activities that involve systematic and extensive profiling, large-scale processing of sensitive data, or automated decision-making.

New Projects: DPIAs should be conducted when initiating new projects or processes that involve significant data processing, especially those that involve innovative technologies or novel data collection methods.

Changes to Existing Processes: If there are substantial changes to existing data processing activities, such as implementing new data processing systems, DPIAs should be revisited to assess the impact of these changes.

Public Consultation: DPIAs may also be required when an organisation is required to conduct a consultation with the supervisory authority as part of their data protection impact assessment.