All available in:
- Data protection impact assessment (DPIA ) is a process for identifying, evaluating and managing risks to fundamental rights.
- Regulated in Article 35 of the General Data Protection Regulation, often replaces prior checking by the supervisory authority.
- DPIA necessary in case of high risk due to processing of data, especially health data or profiling.
- Content of the DPIA includes description, assessment of necessity and risks of processing.
- Remedial measures must be planned to protect the rights of those affected.
- The term "processing operation" includes data, systems and processes, not strictly legally defined.
- DPIA required if on the positive list of the competent supervisory authority.
A data protection impact assessment (DPIA) is a process designed to identify, assess, and manage the risk posed to individuals by an organization’s use of a particular technology or system to their fundamental rights. It is governed by Article 35 of the General Data Protection Regulation and in most cases replaces prior checking by the supervisory authority.
Requirements
A data protection impact assessment shall be carried out where, due to the nature, scope, circumstances and purposes of the processing, there is likely to be a high risk to the rights and freedoms of natural persons. This is especially the case with:
- Systematic and comprehensive assessment of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as a basis for decisions which produce legal effects concerning natural persons or similarly significantly affect them
- Extensive processing of special categories of personal data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR
- Systematic extensive monitoring of publicly accessible areas
In addition, a data protection impact assessment must be carried out if it is on the positive list pursuant to Article 35(4) of the General Data Protection Regulation of the competent supervisory authority.
Content
At a minimum, the impact assessment includes the following:
- A systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller
- An assessment of the necessity and proportionality of the processing operations in relation to the purpose
- An assessment of the risks to the rights and freedoms of data subjects pursuant to paragraph 1 and
- The mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects
Processing operation
The term “processing operation” is not legally defined. The German supervisory authorities understand processing operations to be “the sum of data, systems (hardware and software) and processes”.