Data Protection Impact Assessment: When Mandatory, How to Conduct?

Introduction

"Data Protection Impact Assessment" (DPIA) is explicitly defined in the EU GDPR ecosystem and is a mandatory tool in certain circumstances. Turkish Law No. 6698 (Turkish Data Protection Law) does not explicitly regulate the DPIA concept; however, Article 12's data security obligation and the Board's requirement for "adequate safeguards" in special category personal data create a functional equivalent of DPIA. Turkish companies operating under GDPR scope apply DPIA directly pursuant to Article 35; Turkish companies focused on KVKK also establishing a DPIA-like risk analysis is a discipline frequently raised in Authority audits.

In this article, we address the legal foundation of DPIA, when it becomes mandatory, which processing activities must be documented, and the minimum elements that a DPIA must contain.

What is DPIA?

DPIA is a tool used to systematically assess the effects of personal data processing activities on the rights and freedoms of data subjects. Its difference from classical information security risk analysis is that it addresses risks from the perspective of the data subject, not the company.

A good DPIA answers the following questions: What purpose does the processing activity serve? Is processing truly necessary for this purpose? Is it proportionate? What are the possible adverse effects on the rights and freedoms of data subjects? To what extent are technical and administrative measures applied to mitigate these effects? Is the remaining risk at an acceptable level?

GDPR Article 35: Mandatory Framework

According to GDPR Article 35, DPIA is mandatory if processing is likely to pose a "high risk" to the rights and freedoms of natural persons. The Regulation directly enumerates three situations to be considered as high risk:

1. Systematic and extensive evaluation based on automated decision-making that has a significant effect on the individual (including profiling),
2. Large-scale processing of special category personal data or processing of criminal conviction data within Article 10,
3. Large-scale systematic monitoring of publicly accessible areas.

Beyond these three situations, supervisory authorities in each country (for example, BfDI in Germany, CNIL in France, Garante in Italy) have published guidelines listing "DPIA mandatory" criteria. The WP29 (now EDPB) guideline includes nine criteria; when two of these criteria are combined, processing is considered high-risk:

• Evaluation or scoring,
• Automated decision-making (with legal effect or similar significant effect),
• Systematic monitoring,
• Special category personal data or highly personal data,
• Large-scale processing,
• Matching or combining data sets,
• Data concerning vulnerable individuals (children, employees, patients),
• Innovative use of a new technology,
• Processing that prevents a person from benefiting from a right, service, or contract.

DPIA under KVKK: No Explicit Obligation, But Factual Obligation Exists

Article 12 of KVKK imposes on the data controller the obligation to "take all necessary technical and administrative measures to ensure an appropriate level of security." The Authority has substantiated the content of this obligation over time through both guidelines and Board decisions. In particular, the Board's decision dated January 31, 2018, numbered 2018/10 — "adequate safeguards" required in special category personal data — can be read as part of a structured risk assessment.

Furthermore, following the 2024 KVKK reform, the Authority's published guidelines (Overseas Transfer Guide, Guide on Processing of Special Category Personal Data) explicitly emphasize the risk-based approach. It is emphasized that additional measures must be taken depending on the sensitivity of the transferred data category, the protection in the recipient's country, and the scale of processing — this is a structure that aligns with DPIA's flowchart.

In practice, Authority audits frequently request that companies provide risk assessments for processing activities and justification of measures taken. A structured DPIA document capable of responding to this request is valuable both as proof of compliance and as defense material.

Minimum Elements of a DPIA

A good DPIA is not a one-size-fits-all form; it is an analysis document shaped according to the specific processing. The following elements constitute minimum content:

1. Description of processing activity

• Activity name and brief description,
• Purpose of processing and position in the process,
• Data categories (identity, contact, financial, health, biometric, etc.),
• Data subject categories (customer, employee, candidate, business partner, etc.),
• Recipients and sub-processors,
• Data flow diagram,
• Domestic and international transfer points,
• Retention period and deletion/anonymization schedule.

2. Legal basis and necessity test

• Legal basis of processing under KVKK Article 5 or Article 6 (or GDPR Article 6, Article 9),
• Whether processing is truly necessary for the purpose,
• Whether a less intrusive alternative is possible,
• Proportionality assessment.

3. Risk analysis

• Possible adverse effects on data subjects (discrimination, material/non-pecuniary damages, identity theft, loss of autonomy, etc.),
• Probability and severity of each effect,
• Overall risk score (e.g., low/medium/high/very high).

4. Measures already taken and planned

• Technical measures (encryption, access control, pseudonymization, network segmentation, logging, etc.),
• Administrative measures (policy, training, procedure, supplier assessment, internal audit),
• Adequate safeguards enumerated in Board Decision 2018/10 for special category personal data,
• Implementation level for each measure.

5. Residual risk assessment and decision

• Risk remaining after measures are implemented,
• Whether the residual risk is acceptable,
• If not acceptable, decision to redesign or suspend the processing activity,
• Prior consultation with the supervisory authority in case of high residual risk (GDPR Article 36).

6. Governance

• Team that prepared the DPIA,
• DPO (or data protection officer in Turkey) opinion,
• Stakeholder opinions (where necessary, data subject representatives, employee representation, internal counsel),
• Approval chain and approval date,
• Update schedule (to be redone if processing changes).

Example: DPIA for an AI-Based Recruitment System

A DPIA for an AI-based resume screening and candidate scoring system encompasses automated decision-making, vulnerable individuals (job seekers), large-scale processing, and innovative technology use criteria together. Such a DPIA must have recorded answers to at least the following questions:

• Which characteristics (experience, education, expression features) does the system use as a basis?
• How was the training data created, and were gender/ethnic/age bias analyses conducted?
• What transparency is provided to the candidate regarding the system?
• What is the mechanism for objecting to the system's decision?
• At what level is human supervision?
• How do you measure the impact of the decision on the candidate's legal status or similar significant effect?

When Should It Be Updated?

DPIA is not a document to be created once and filed away. The following changes require the DPIA to be updated:

• If the purpose or scope of processing changes,
• If a new data category is added,
• If recipients, sub-processors, or countries change,
• If technical infrastructure is significantly modified (especially AI/ML updates),
• If a new Board decision, regulation, or case law affects the assessment,
• If the risk profile changes following a data breach.

Good practice is to review the DPIA at least annually for processing activities in the high-risk category; the review date should be recorded in the DPIA register.

Conclusion

DPIA is a tool that ensures data protection is an ongoing discipline rather than a completed task. For Turkish companies under GDPR scope, it is a direct obligation; within the KVKK framework, it has become a de facto expectation manifested in Authority audits. Without establishing a DPIA for high-risk category projects, neither can the Authority audit be adequately responded to nor can confidence be given to supplier risk inquiries.

In practice, DPIA may not be as visible as a well-written privacy notice; however, it is the only structured document through which a company can concretely demonstrate the measures taken and its assessment when a problem arises.