When is a Data Protection Impact Assessment required?

A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them). DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.

Article 35 states,  where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”

Processing operations likely to require a DPIA include:

evaluation or scoring, including profiling and predicting

automated-decision making with legal or similar significant effect

systematic monitoring

sensitive data processing

data processed on a large scale

datasets that have been matched or combined

data concerning vulnerable data subjects, such as children, the elderly, the sick

innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control

data transfer across borders outside the European Union

when the processing in itself “prevents data subjects from exercising a right or using a service or a contract"

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.