Under the GDPR, whenever the implementation of personal data processing «uses new technologies and, taking into account its nature, scope, context and purposes” it is liable to «a high risk to the rights and freedoms of natural persons», the data controller must carry out a DPIA.