DPIA
DATA PROTECTION IMPACT ASSESSMENT
Systematic description purpose of processing
CISO AG is capable of providing your organization with a detailed data protection impact assessment (DPIA) which is a critical requirement within the GDPR framework. We provide a swift assessment service that that will gauge your companies risk profile and vulnerable assets. We are highly experienced in assisting organizations in meeting the GDPR Article 35 requirements.
Specifically Article 35 stipulates that when processing and in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations with regards to the protection of personal data.
A DATA PROTECTION IMPACT ASSESSMENT
Shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
WHAT DPIA SHOULD CONTAIN AT LEAST
According to article 35 of the GDPR:
Systematic description envisaged processing operations
Legitimate interest pursued by controller (where applicable)
Assessment of necessity related to purposes
Assessment of proportionality related to purposes
Assessment of risks to rights and freedoms
Measures envisaged to address risks
Measures envisaged to demonstrate compliance
WHAT DPIA SHOULD CONTAIN AT LEAST
According to article 35 of the GDPR:
Systematic description purpose of processing
Systematic description envisaged processing operations
Legitimate interest pursued by controller (where applicable)
Assessment of necessity related to purposes
Assessment of proportionality related to purposes
Assessment of risks to rights and freedoms
Measures envisaged to address risks
Measures envisaged to demonstrate compliance
Pursuant to Article 35.4 of the Regulation and following the Opinion of the European Data Protection Board (EDPB), this Office established the following processing operations where a Data Protection Impact Assessment (“DPIA”) shall be required to be carried out by controllers prior to the processing.
For the purposes of ensuring consistency across the Union, the list of the kind of processing operations has been established after taking into account the guidelines on DPIAs that were adopted by the WP29 and subsequently endorsed by the EDPB.
The list is non-exhaustive in nature and shall complement and further specify such guidelines.
OVERVIEW
Systematic monitoring
CRITERION 3 OF WP248
Processing of personal data that involves:
- observing, monitoring, or controlling data subjects’ behaviour, in particular, on the online environment;
- specific circumstances where the controller is legally required to process personal data about data subjects without their knowledge;
- operations concerning the use of geolocation data, including but not limited to, for the purpose of direct marketing; or
- monitoring on a large scale of public spaces or private areas accessible by the public.
Automated-decisions
CRITERION 2 OF WP248
Fully or partially automated means of processing, including profiling, which produces legal effects concerning the data subjects or similarly significantly affects them.
Use of innovative technologies
CRITERIA 4 & 7 OF WP248
Any processing of special categories of personal data and of data concerning vulnerable data subjects, through the use of innovative technologies or the implementation of new methods in existing technology.
Special categories of data
CRITERION 4 OF WP248
Processing on a large scale of special categories of data, including, personal data relating to criminal convictions and offences.
Biometric data
CRITERIA 4, 3 AND 7 OF WP248
Any processing activity involving biometric data for the purpose of uniquely identifying data subjects:
- when the data subjects are in a public space or in a private area accessible to the public;
- when the biometric data are processed in conjunction with personal data related to criminal convictions and offences;
- when the biometrics are related to individuals who need high protection such as minors, employees, patients, mentally ill persons and asylum seekers.
Genetic data
CRITERIA 4 & 6 OF WP248
Any processing of genetic data, other than that processed by an individual health care professional when providing a related service directly to the data subjects, for the purpose of matching or combining datasets in a way that would exceed the reasonable expectation of the data subject.
Data concerning vulnerable persons
CRITERION 7 OF WP248
Processing of personal data of vulnerable natural persons, in particular, concerning children, employees and individuals receiving any form of social assistance.
Employee monitoring
CRITERIA 1 & 7 OF WP248
Processing of personal data for the purpose of the evaluation or scoring of aspects concerning the employee’s performance at work, or when the processing increases the power imbalance between the data subjects and the data controller, particularly, when the employees may be unable to easily consent to, or oppose, the processing of their data or exercise their rights.
