District Court Frankfurt a.M. on the right to be forgotten

Data protection impact assessment

26. June 2023
Legal organization and entrepreneurial structuring of influencer start-ups and personal brands

Legal organization and entrepreneurial structuring of influencer start-ups and personal brands

29. March 2025
Taking on investors in a startup: timing, risks and legal framework

Taking on investors in a startup: timing, risks and legal framework

28. March 2025

Honesty in startup marketing: legal requirements and ethical boundaries between transparency and advertising

28. March 2025
Startups in the legal gray area: permissibility and limits of innovative business models

Startups in the legal gray area: permissibility and limits of innovative business models

26. March 2025
Moral and legal aspects of “Trust among founders”

Moral and legal aspects of “Trust among founders”

25. March 2025
Honesty and fair pricing for start-ups (SaaS, mobile apps and digital services)

Honesty and fair pricing for start-ups (SaaS, mobile apps and digital services)

24. March 2025
Creating contracts with face models and voice models: A guide for the gaming industry

Liability of website operators for user comments – When and how operators are responsible for their users’ content

15. March 2025
Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation

14. March 2025
License agreements for software start-ups

15 questionable contractual clauses (often taken from English)

12. March 2025
iStock 1405433207 scaled

Exit strategies for start-ups: from planning to a successful exit

11. March 2025
Support with the foundation

The role of the supervisory board in young companies – when and why a supervisory board can be useful

11. March 2025
Arbitration and alternative dispute resolution in corporate disputes

Arbitration and alternative dispute resolution in corporate disputes

9. March 2025
Drafting contracts in the context of agile working methods: Scrum and Co.

Drafting contracts in the context of agile working methods: Scrum and Co.

8. March 2025
joint venture

Joint development agreements in the innovation sector: an overview of the legal basis, liability issues and property rights

5. March 2025
partnership limited by shares kgaa

Special features of competition law in joint ventures: structuring options and risks

4. March 2025
Digitalization and contract law: Electronic signature in accordance with the eIDAS Regulation

Digitalization and contract law: Electronic signature in accordance with the eIDAS Regulation

3. March 2025
Pentesting as a service: legal framework and contract design

Pentesting as a service: legal framework and contract design

28. February 2025
ai generated g63ed67bf8 1280

AI editing of OnlyFans content & Instagram campaigns: Important legal tips!

23. February 2025
Beware of fake streaming offers

Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

21. February 2025
Data trusteeship in IoT projects

The editing contract: an essential contract for creatives and rights exploiters

20. February 2025
No Result
View All Result
Kurzberatung
No Result
View All Result

All available in:

Key Facts
  • Data protection impact assessment (DPIA ) is a process for identifying, evaluating and managing risks to fundamental rights.
  • Regulated in Article 35 of the General Data Protection Regulation, often replaces prior checking by the supervisory authority.
  • DPIA necessary in case of high risk due to processing of data, especially health data or profiling.
  • Content of the DPIA includes description, assessment of necessity and risks of processing.
  • Remedial measures must be planned to protect the rights of those affected.
  • The term "processing operation" includes data, systems and processes, not strictly legally defined.
  • DPIA required if on the positive list of the competent supervisory authority.

A data protection impact assessment (DPIA) is a process designed to identify, assess, and manage the risk posed to individuals by an organization’s use of a particular technology or system to their fundamental rights. It is governed by Article 35 of the General Data Protection Regulation and in most cases replaces prior checking by the supervisory authority.

Requirements

A data protection impact assessment shall be carried out where, due to the nature, scope, circumstances and purposes of the processing, there is likely to be a high risk to the rights and freedoms of natural persons. This is especially the case with:

  • Systematic and comprehensive assessment of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as a basis for decisions which produce legal effects concerning natural persons or similarly significantly affect them
  • Extensive processing of special categories of personal data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR
  • Systematic extensive monitoring of publicly accessible areas

In addition, a data protection impact assessment must be carried out if it is on the positive list pursuant to Article 35(4) of the General Data Protection Regulation of the competent supervisory authority.

Content

At a minimum, the impact assessment includes the following:

  • A systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing operations in relation to the purpose
  • An assessment of the risks to the rights and freedoms of data subjects pursuant to paragraph 1 and
  • The mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects

Processing operation

The term “processing operation” is not legally defined. The German supervisory authorities understand processing operations to be “the sum of data, systems (hardware and software) and processes”.

Veröffentlicht
Aktualisiert
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Inhaltsverzeichnis

All available in:

No Result
View All Result
Kostenlose Kurzberatung