The DPIA process aims at providing assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’ where it is needed the most, i.e. for ‘risky’ processing operations.
A DPIA is in particular required for:
- systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 10, or of personal data relating to criminal convictions and offences referred to in Article 11; or
- systematic monitoring of a publicly accessible area on a large scale.
The European Data Protection Supervisor has established a template allowing controllers to assess whether they have to do a DPIA [annex 6 to Part I of the accountability toolkit]. In addition, the EDPS has established an open list of processing operations subject to the requirement for a DPIA. Listed on there are usual processing operations that will require DPIAs, saving controllers time:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 10, or of personal data relating to criminal convictions and offences referred to in Article 11; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
The assessment shall contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 of Article 39 of the Regulation 2018/1725; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Where necessary, the controller shall carry out a review to assess if the data processing is being performed in accordance with the data protection impact assessment, at least when there is a change of the risk represented by processing operations.
If following the DPIA, controllers are not sure whether risks are appropriately mitigated, they should proceed to a prior consultation under Article 40.