Kategorien

All available in:

Data protection impact assessment

A data protection impact assessment (DPIA) is a process designed to identify, assess, and manage the risk posed to individuals by an organization’s use of a particular technology or system to their fundamental rights. It is governed by Article 35 of the General Data Protection Regulation and in most cases replaces prior checking by the supervisory authority.

Requirements

A data protection impact assessment shall be carried out where, due to the nature, scope, circumstances and purposes of the processing, there is likely to be a high risk to the rights and freedoms of natural persons. This is especially the case with:

  • Systematic and comprehensive assessment of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as a basis for decisions which produce legal effects concerning natural persons or similarly significantly affect them
  • Extensive processing of special categories of personal data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR
  • Systematic extensive monitoring of publicly accessible areas

In addition, a data protection impact assessment must be carried out if it is on the positive list pursuant to Article 35(4) of the General Data Protection Regulation of the competent supervisory authority.

Content

At a minimum, the impact assessment includes the following:

  • A systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing operations in relation to the purpose
  • An assessment of the risks to the rights and freedoms of data subjects pursuant to paragraph 1 and
  • The mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects

Processing operation

The term “processing operation” is not legally defined. The German supervisory authorities understand processing operations to be “the sum of data, systems (hardware and software) and processes”.

Leave a Reply

Your email address will not be published. Required fields are marked *

Welcome Back!

Login to your account below

Retrieve your password

Please enter your username or email address to reset your password.

Add New Playlist