DPIA list of the Italian supervisory authority
The Blacklist of activities that trigger the need for a data protection impact assessment (DPIA) is available at https://www.garanteprivacy.it/documents/10160/0/ALLEGATO+1+Elenco+delle+tipologie+di+trattamenti+soggetti+al+meccanismo+di+coerenza+da+sottoporre+a+valutazione+di+impatto (in Italian). It mentions, for example, non-occasional processing of data of vulnerable individuals (minors, elderly, disabled, mentally ill, patients, asylum seekers) and processing carried out in the context of employment relationship through technological systems (including video surveillance and geolocation) that results in the possibility of an employee’s remote control.
Guidelines of the supervisory authority
There are no derogations from the GDPR. Garante has published an information sheet dedicated to the DPIA, as well as an overview of the main points of the WP29 guidelines: https://www.garanteprivacy.it/regolamentoue/DPIA (in Italian).
