DPIA
DATA PROTECTION IMPACT ASSESSMENT
According to article 35 of the GDPR:
Systematic description purpose of processing
Systematic description envisaged processing operations
Legitimate interest pursued by controller (where applicable)
Assessment of necessity related to purposes
Assessment of proportionality related to purposes
Assessment of risks to rights and freedoms
Measures envisaged to address risks
Measures envisaged to demonstrate compliance
According to article 35 of the GDPR:
Systematic description purpose of processing
Systematic description envisaged processing operations
Legitimate interest pursued by controller (where applicable)
Assessment of necessity related to purposes
Assessment of proportionality related to purposes
Assessment of risks to rights and freedoms
Measures envisaged to address risks
Measures envisaged to demonstrate compliance
Pursuant to Article 35.4 of the Regulation and following the Opinion of the European Data Protection Board (EDPB), this Office established the following processing operations where a Data Protection Impact Assessment (“DPIA”) shall be required to be carried out by controllers prior to the processing.
For the purposes of ensuring consistency across the Union, the list of the kind of processing operations has been established after taking into account the guidelines on DPIAs that were adopted by the WP29 and subsequently endorsed by the EDPB.
The list is non-exhaustive in nature and shall complement and further specify such guidelines.
Systematic monitoring
Processing of personal data that involves:
Automated-decisions
Fully or partially automated means of processing, including profiling, which produces legal effects concerning the data subjects or similarly significantly affects them.
Use of innovative technologies
Any processing of special categories of personal data and of data concerning vulnerable data subjects, through the use of innovative technologies or the implementation of new methods in existing technology.
Special categories of data
Processing on a large scale of special categories of data, including, personal data relating to criminal convictions and offences.
Biometric data
Any processing activity involving biometric data for the purpose of uniquely identifying data subjects:
Genetic data
Any processing of genetic data, other than that processed by an individual health care professional when providing a related service directly to the data subjects, for the purpose of matching or combining datasets in a way that would exceed the reasonable expectation of the data subject.
Data concerning vulnerable persons
Processing of personal data of vulnerable natural persons, in particular, concerning children, employees and individuals receiving any form of social assistance.
Employee monitoring
Processing of personal data for the purpose of the evaluation or scoring of aspects concerning the employee’s performance at work, or when the processing increases the power imbalance between the data subjects and the data controller, particularly, when the employees may be unable to easily consent to, or oppose, the processing of their data or exercise their rights.