Personal data processing that require the DPIA – general provision
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
Chapter IV, Section 3, Article 35, Paragraph 1
Regulation's subject matter
Data protection impact assessment (Article 35, Section 3, Chapter IV)