Employers should generally conduct a DPIA if any two of the following exist (see GDPR article 35 and A29WP Guidance):
- use of automated decision-making with legal or similarly significant effect;
- evaluation of scoring of data subjects, including evaluating work performance;
- systematic monitoring of a publicly accessible area on a large scale;
- processing of sensitive data (which employers will have);
- processing data on a large scale;
- processing data of vulnerable data subjects (which may include employees);
- transferring data outside the EU;
- engaging in an innovative use or application of technological solutions;
- engaging in processing that prevents a data subject from exercising a right.
Note:
In many cases, at least two of these factors will be present for a given tool or system, meaning employers should perform a DPIA.