§ GDPR · Article 35

GDPR Article 35: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 35 · All obligations · GDPR
At a glance
Article 35 of the GDPR imposes 10 obligations on controller, supervisory authority. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 35

Obligation 1
The controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to processing if it is likely to result in a high risk to the rights and freedoms of natural persons. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
controller
Action required
assess
Deadline
prior to the processing
Penalty
Obligation 2
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
controller
Action required
seek advice
Deadline
Penalty
Obligation 3
The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
supervisory authority
Action required
establish and publish
Deadline
Penalty
Obligation 4
The supervisory authority shall communicate the lists of processing operations subject to DPIA to the Board referred to in Article 68. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
supervisory authority
Action required
communicate
Deadline
Penalty
Obligation 5
The supervisory authority may establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
supervisory authority
Action required
establish and publish
Deadline
Penalty
Obligation 6
The supervisory authority shall communicate the lists of processing operations exempt from DPIA to the Board. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
supervisory authority
Action required
communicate
Deadline
Penalty
Obligation 7
Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve cross-border processing or may substantially affect the free movement of personal data. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
supervisory authority
Action required
apply consistency mechanism
Deadline
Prior to the adoption of the lists
Penalty
Obligation 8
The assessment shall contain at least a systematic description of the envisaged processing operations and purposes, an assessment of necessity and proportionality, an assessment of risks, and measures envisaged to address the risks. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
controller
Action required
document
Deadline
Penalty
Obligation 9
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
controller
Action required
seek views
Deadline
Penalty
Exemptions
without prejudice to the protection of commercial or public interests or the security of processing operations
Obligation 10
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations. Regulation (EU) 2016/679, Article 35, Article 35
Obligated entity
controller
Action required
review
Deadline
at least when there is a change of the risk
Penalty
§ Frequently asked

Questions about Article 35

Who must comply with Article 35 of the GDPR? +
controller, supervisory authority.
What does Article 35 of the GDPR require? +
assess seek advice establish and publish
What is the compliance deadline for GDPR Article 35? +
Prior to the adoption of the lists; at least when there is a change of the risk; prior to the processing
Need a cross-border briefing on GDPR Article 35?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles