Multi-Jurisdictional DPIA Obligations

GDPR as Baseline: Article 35(3) — 9 EDPB Criteria

GDPR establishes that DPIA is mandatory when processing is likely to result in high risk (Article 35(3)).

EDPB in WP248 defined 9 cumulative criteria indicating mandatory DPIA:

Systematic evaluation or classification of individuals (scoring, profiling)
Automated decision-making with legal or similarly harmful effects
Systematic monitoring — at large scale of sensitive data or data of criminal origin
Sensitive or special category data (racial origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health or sexual life data)
Data of minors (under 16 or per national law)
Large-scale surveillance of a public-access area
Crossing or combining data from multiple sources or processors
International data transfers
Use of new technologies or innovative solutions (blockchain, AI, IoT)

If any one of these criteria applies, DPIA is mandatory under GDPR.

Comparative Table: DPA Lists from 8 European Authorities

Each supervisory authority issued an indicative list of categories requiring DPIA. Requirements vary by jurisdiction.

Authority	Jurisdiction	Mandatory Categories
CNPD	Portugal	International transfers; automated decisions; sensitive data; minors; surveillance; AI; biometrics
CNIL	France	Sensitive data processing; automated decisions; minors; video surveillance; cookie analytics; cross-border cloud services
BfDI	Germany	Large-scale processing; sensitive data; surveillance; automated decisions with legal effects; intra-group transfers
ICO	United Kingdom	Systematic and extensive processing; surveillance; automated decision-making; sensitive data; post-Brexit transfers; UK GDPR compliance
Garante	Italy	Sensitive data (Article 9); automated decisions (Article 22); surveillance; biometrics; AI; minors
AEPD	Spain	Large-scale processing; surveillance; AI; profiling; sensitive data; minors; international transfers
APD	Belgium	Sensitive data; surveillance; automated decisions; international transfers; AI; biometrics; large-scale processing
AP / DPA	Netherlands	Systematic and extensive processing; surveillance; automated decision-making; special category data; AI; biometrics; minors

Golden Rule: Integration

For multinational operations, integrate requirements of all 8 authorities in a single DPIA. This avoids incomplete compliance, rework and divergences.

UK GDPR Obligations Post-Brexit

The United Kingdom left the EU in January 2020. UK GDPR originated from GDPR, but divergences have emerged.

Data Protection Act 2018 (UK) is applicable, not the original GDPR
Data transfers to the EU are now "international" and require assessment (unlike pre-Brexit intra-EU)
Authority landscape changes: ICO (UK) is now equivalent to CNPD, not subordinate
Adequacy Decision (June 2021) permits EU → UK transfers without mandatory SCC, but UK → EU is still cross-border
Brexit clauses and amendments may require new DPIAs if UK processing was previously "domestic EU"

LGPD and RIPD — Brazil

Brazil implemented the General Data Protection Law (LGPD) in 2020 and the Resolution on International Transfers (RIPD).

LGPD Article 5, XVII — International Transfers

Transfer of personal data abroad requires explicit consent or legal basis (LGPD Article 7)
Without Brasil-EU adequacy decision, each transfer requires case-by-case assessment
RIPD (Transfer Resolution) guides implementation of protections

LGPD Article 38 — Processors in Other Countries

Controller (in Brazil) remains responsible for processors outside Brazil
Contract with processor must contemplate equivalent protections
DPIA in Brazilian context must document LGPD compliance + equivalent EU protections

DPIA for Brazil-EU Operations

Consult P06 — CPLP Markets for deeper insight on LGPD and interoperability with GDPR.

AI Act Article 27 — DPIAs for Cross-Border AI

The AI Act (EU, in force since January 2025) requires DPIA for high-risk AI systems, often in cross-border operations.

Article 27 AI Act — Fundamental rights assessment (FRIA) for high-risk AI
Complement DPIA with FRIA when AI system processes personal data and carries risk of discrimination, surveillance or rights limitation
Integration: DPIA (data protection) + FRIA (fundamental rights) + AICS (sectoral compliance) are often executed in parallel
Data transfers for AI model training require specialised TIA (Transfer Impact Assessment)

CSS Interactive Checklist: Do I Need Multi-Jurisdictional DPIA?

Use this checklist to self-assess if you need multi-jurisdictional DPIA.

Does your organisation operate in more than 3 countries? +

Yes → Proceed to next question. No → Domestic DPIA may suffice (consult CNPD for Portugal).

Do you transfer personal data outside the EU (including US, Brazil, CPLP)? +

Yes → MANDATORY DPIA + TIA (Transfer Impact Assessment). Schrems II applies if transfer includes US.

Do you process sensitive data (health, racial origin, political, religious beliefs)? +

Yes → MANDATORY multinational DPIA across all 8 European authorities listed.

Do you implement AI systems or automated decision-making with legal/harmful effects? +

Yes → MANDATORY DPIA + FRIA + AI Act Article 27. Multinational DPIA if AI is cross-border.

Do you process data of minors (< 16 per local law)? +

Yes → MANDATORY DPIA. If multinational transfers, requires harmonisation of protections per jurisdiction (consent age varies by country).

Do you conduct video surveillance or systematic monitoring of employees/customers? +

Yes → MANDATORY DPIA. If video data is stored internationally, requires multinational TIA.

Do you combine data from multiple sources for profiling or scoring? +

Yes → MANDATORY DPIA. Especially if scoring has cross-border effects (credit access, employment, insurance).

Outcome: You Need Multi-Jurisdictional DPIA

If you answered "Yes" to any question above, we recommend integrated multinational DPIA with DPO involvement and legal experts per jurisdiction.

Consequences of Cross-Border Non-Compliance

DPIA execution is mandatory. Lack of compliance carries substantial risks.

GDPR fines — up to 4% of global annual turnover (Article 83 GDPR)
Cessation orders — authorities may order halt of transfers
Private lawsuits — individuals may sue for damages (Article 82 GDPR)
Executive liability — in some cases, directors may be personally liable
Loss of reputation and customer trust

Link to CNPD — Mandatory Categories in Portugal

For the Portuguese domestic context, consult complete CNPD guidance.

CNPD — Mandatory DPIA Categories List

aipd.pt/obrigatoriedade — Official CNPD criteria for when DPIA is mandatory in Portugal.

Next Steps

Deepen with multinational methodology and contact us for implementation.

Methodology for Multinationals →