The data protection impact assessment is defined in Art. 35 General Data Protection Regulation (GDPR). It is required in the following cases:
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences. The special categories of data referred to in Art. 9 GDPR:
- processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- data concerning health or data concerning a natural person’s sex life or sexual orientation;
- genetic data, biometric data for the purpose of uniquely identifying a natural person.
- Systematic monitoring of a publicly accessible area on a large scale: Publicly accessible can also be the service area of a company that is open to the public, for example.
A DPIA may also be required even if the above cases are not relevant but still likely to result in a high risk to the rights and freedoms of the data subjects.
The assessment must answer the following questions:
- What are the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller?
- What is the necessity and proportionality of the processing operations in relation to the purposes?
- What are the risks to the rights and freedoms of data subjects, in particular the nature, scope, context and purposes of the processing?
- What are the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned?
The controller is obligated to carry out the DPIA (Art. 35 Paragraph 1 GDPR). The controller must determine (as in other risk management areas) if a DPIA is necessary, and if so, ensure that it is carried out. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment (Art. 35 Paragraph 2 GDPR). The data protection officer must provide advice where requested as regards to the data protection impact assessment and monitor its performance (Art. 39 Paragraph 1c GDPR).
If the results of the DPIA show that the data processing can be supported by the giving of consent (specifically Art. 6 GDPR), it must be ensured that the implementation of corrective technical and/or organisational measures sufficiently address the risks. The law requires the mitigation of risk. The importance of mitigation rises with increasing risk to the data subject.
According to Art. 36 GDPR, the controller shall consult the supervisory authority in the absence of measures taken by the controller to mitigate the risk.
Please note the following guidelines regarding the scope of our data impact assessment workshop:
- The workshop focuses solely on introducing the data protection impact assessment, evaluating the risks to the rights and freedoms of data subjects and evaluating risk mitigation measures. We cannot guarantee that a comprehensive and fully complete draft of the data protection impact assessment can be created during the workshop time frame. We are not obligated to carry out a data protection impact assessment; rather, we will teach you what is essential and how to evaluate risks and mitigation measures so that you can produce a data protection impact assessment yourself.
- Within the workshop, we can only evaluate the risks to the rights and freedoms of data subjects and evaluate risk mitigation measures for a specific processing operation.
- The controller must provide three scheduling options for the kickoff meeting at different weekdays and times. All times must be within the office hours of 9 a.m. and 6 p.m. The individual dates must be within two weeks of each other. If more time is needed, the controller can select a longer time frame.
- As the workshop is conducted remotely, the controller is responsible for their technical set up (e.g. sufficient and stable internet connection, functioning hardware and software, etc.)
- The service is deemed as rendered if the workshop is completed with the following content: Introduction of the data protection impact assessment, the evaluation of risks to the rights and freedoms of data subjects and the evaluation of risk mitigation measures.
- The workshop is a maximum of 8 hours and is split up as follows: 2h kickoff, 4h risk evaluation, 2h risk mitigation measures.