Virtual employees, AI influencers and synthetic content – legal classification and international perspectives
Pay-to-win or pay-to-lose? Monetization in gaming between business and consumer deception
Flash scaling and aggressive business models: Innovation between progress and evasion
The romanticization of the “fail fast” principle in startups – When does failure become deception towards stakeholders?
Automated pricing and dynamic pricing in e-commerce
Growth hacking and viral marketing – legal requirements
Liability when using VibeCoding and no-code platforms – implications for legal due diligence
Alternative financing models in Germany and other countries – admissibility and design
Legal organization and entrepreneurial structuring of influencer start-ups and personal brands
Taking on investors in a startup: timing, risks and legal framework
81aec81e ad3a 49cd b1b1 8d43b8e59145 24528606
Startups in the legal gray area: permissibility and limits of innovative business models
Moral and legal aspects of “Trust among founders”
Honesty and fair pricing for start-ups (SaaS, mobile apps and digital services)
Creating contracts with face models and voice models: A guide for the gaming industry
Legally compliant archiving of emails: legal requirements and practical implementation
License agreements for software start-ups
iStock 1405433207 scaled
Support with the foundation
Arbitration and alternative dispute resolution in corporate disputes
< Alle Themen
Drucken
Key Facts
  • Data protection impact assessment (DPIA ) is a process for identifying, evaluating and managing risks to fundamental rights.
  • Regulated in Article 35 of the General Data Protection Regulation, often replaces prior checking by the supervisory authority.
  • DPIA necessary in case of high risk due to processing of data, especially health data or profiling.
  • Content of the DPIA includes description, assessment of necessity and risks of processing.
  • Remedial measures must be planned to protect the rights of those affected.
  • The term "processing operation" includes data, systems and processes, not strictly legally defined.
  • DPIA required if on the positive list of the competent supervisory authority.

A data protection impact assessment (DPIA) is a process designed to identify, assess, and manage the risk posed to individuals by an organization’s use of a particular technology or system to their fundamental rights. It is governed by Article 35 of the General Data Protection Regulation and in most cases replaces prior checking by the supervisory authority.

Requirements

A data protection impact assessment shall be carried out where, due to the nature, scope, circumstances and purposes of the processing, there is likely to be a high risk to the rights and freedoms of natural persons. This is especially the case with:

  • Systematic and comprehensive assessment of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as a basis for decisions which produce legal effects concerning natural persons or similarly significantly affect them
  • Extensive processing of special categories of personal data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR
  • Systematic extensive monitoring of publicly accessible areas

In addition, a data protection impact assessment must be carried out if it is on the positive list pursuant to Article 35(4) of the General Data Protection Regulation of the competent supervisory authority.

Content

At a minimum, the impact assessment includes the following:

  • A systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing operations in relation to the purpose
  • An assessment of the risks to the rights and freedoms of data subjects pursuant to paragraph 1 and
  • The mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects

Processing operation

The term “processing operation” is not legally defined. The German supervisory authorities understand processing operations to be “the sum of data, systems (hardware and software) and processes”.

Inhaltsverzeichnis