The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples.
What is a DPIA?
DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. Especially broader risks to the rights and freedoms of individuals, resulting from the processing, shall be assessed and mitigated by appropriate countermeasures.
DPIAs also support the General Data Protection Regulation’s (GDPR) accountability principle, helping organisations to prove that they have taken appropriate measures as required by GDPR, so that a compliant processing is possible.
Art. 35 GDPR provides that a DPIA is generally required where the processing of personal data, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR lists three examples where a DPIA is required:
- Systematic and extensive profiling
- Processing of special categories of personal data or criminal offence data on a large scale
- Systematic monitoring of publicly accessible places on a large scale
Art. 35 (4) GDPR calls on supervisory authorities to release lists that further specify those cases where a DPIA is mandatory.Continue Reading When do organisations need to carry out a data protection impact assessment? German authorities provide guidance