A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them). DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.
Article 35 states, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”
Processing operations likely to require a DPIA include:
evaluation or scoring, including profiling and predicting
automated-decision making with legal or similar significant effect
sensitive data processing
data processed on a large scale
datasets that have been matched or combined
data concerning vulnerable data subjects, such as children, the elderly, the sick
innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control
data transfer across borders outside the European Union
when the processing in itself “prevents data subjects from exercising a right or using a service or a contract"
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018