Smart cities build so much upon processing of (personal) data to the extent that they may be considered data cities. This characteristic raises a plethora of fundamental rights-related concerns, exacerbated by the complexity of smart city environments, where multiple public and private entities (e.g. citizens, municipalities, governmental authorities, IT and telecommunication companies, industries, community groups) interact. Furthermore, urban environments -and smart cities projects and initiatives- still tend to reflect mostly the one-sided perspective of able-bodied, cisgender, heterosexual men and therefore are suitable to perpetuate and reinforce gender inequities. To address the fundamental rights challenges arising from the (personal) data processing operations occurring in the context of smart cities, academics and regulators in the European Union are increasingly showcasing Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) as a solution. Building upon an ex-ante risk-based approach, DPIA would inform decision-making and shape the development of a smart city project and or initiative in a way to minimise negative and unintended consequences arising from the processing before they occur (e.g. prevent algorithmic bias). Furthermore, its participatory potential embedded in Article 35(9) GDPR may contribute to the empowerment of (less represented) citizens. However, is DPIA really adequate to address the fundamental rights-related challenges arising from smart cities and the technologies deployed therein? What are its advantages and drawbacks? What best practices can be adopted by data controllers to overcome these limits? The objective of this work is to critically evaluate DPIA as a tool to effectively address the fundamental rights challenges raised by smart cities and ensure inclusiveness by adopting intersectional gender lenses.