Additional Services

Data protection impact assessment (DPIA)

What is a DPIA?

A DPIA, as defined under Article 35 of the GDPR, is a process designed to identify and mitigate any potential risks to individuals’ privacy and data protection rights arising from data processing activities. It is a tool used to evaluate the potential impact of data processing operations on individuals’ privacy and ensure compliance with the GDPR.

Georgine Berger

"The DPIA needs to be carried out prior to the processing, ensuring that the processing activities cannot begin until the DPIA has been completed. It is recommended to initiate the DPIA as early as possible during the planning phase of the processing operation."

When do I need a DPIA?

A DPIA is mandatory where data processing is likely to result in high risks to individuals’ rights and freedoms. The GDPR specifies the following instances where a DPIA is required:

  • in case of system and extensive evaluation of personal aspects that is based on automated processing and significantly effects individuals
  • in case of large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, or data concerning health
  • in case of systematic monitoring of publicly accessible areas on a large scale
  • in case the kind of processing operation is included on a “black list” of the competent data protection authority
  • a high risk is identified on the basis of preliminary assessment taking into account the nature, scope, context and purposes of the processing

Sebastian Riedlmair

"A common case where a DPIA is required is the combination of fingerprint and facial recognition for the purpose of enhanced access control."

What is a blacklist?

A blacklist is a list issued by the competent data protection authority that refers to data processing activities that are considered to pose significant risks to individuals’ privacy and data protection rights. If a particular processing activity is included on a blacklist, a DPIA is mandatory.

Each member state can create its own blacklist. This means that a processing operation may require a DPIA in one Member State, but not in another.

What is a whitelist?

A whitelist is a list by the competent supervisory authority that includes processing operations that do not require an extensive assessment of potential risk.

When a processing activity is included on the whitelist, it signifies that it has already been assessed and determined to pose minimal risks to individuals’ privacy and data protection rights.

The list allows organizations to focus their DPIA efforts on higher-risk activities while maintaining ongoing compliance and efficient resource allocation.

Each member state can create its own whitelist. This means that a processing operation may require a DPIA in one Member State, but not in another.

Georgine Berger

"It is important to note that even whitelisted activities require continued monitoring and adherence to data protection principles and regulations."

What does a DPIA contain?

A DPIA contains:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned
  • What is the purpose and benefit of a DPIA?

    The primary purpose of conducting a DPIA is to proactively assess the risks associated with data processing operations, enabling organizations to implement appropriate measures to mitigate or eliminate those risks. By conducting a DPIA, organizations can:

    • Identify and minimize risks: A DPIA helps organizations identify and evaluate potential risks to individuals’ data protection rights. By identifying these risks, organizations can implement necessary safeguards and security measures to minimize or eliminate them.
    • Demonstrate compliance: Conducting a DPIA demonstrates an organization’s commitment to GDPR compliance. It showcases a proactive approach to protecting personal data and ensuring the privacy rights of individuals.
    • Enhance trust and transparency: By conducting a DPIA, organizations show their dedication to transparency and accountability, thereby building trust with individuals whose data they process. It demonstrates that the organization values the privacy and security of personal information.

    Peter Harlander

    "Especially with new technologies such as artificial intelligence, it is always necessary to check whether a DPIA is required."

    What is the penalty for not conducting a DPIA?

    The fine for not conducting a DPIA when required, can be up to €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

    The actual penalty imposed may depend on various factors, such as the nature and extent of the violation, the cooperation of the organization, the measures taken to mitigate risks, and the organization’s previous compliance history. Each supervisory authority has the discretion to determine the appropriate penalty based on these factors.

    FAQs

    A DPIA contains:

    • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
    • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • an assessment of the risks to the rights and freedoms of data subjects
    • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

    A DPIA is needed where data processing is likely to result in high risks to individuals’ rights and freedoms. Here are some examples when a DPIA is required:

    • in case of systematic and extensive evaluation of personal aspects that is based on automated processing and significantly effects individuals
    • in case of large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, or data concerning health
    • in case of systematic monitoring of publicly accessible areas on a large scale
    • in case the kind of processing operation is included on a “black list” of the competent data protection authority
    • a high risk is identified on the basis of preliminary assessment taking into account the nature, scope, context and purposes of the processing

    The controller is responsible for the carrying out of a DPIA to evaluate, especially, the source, characteristics, specificity, and severity of that risk.

    The controller must carry out the DPIA prior to the processing. The processing may not take place before the assessment of likelihood and severity of the risk.

    The DPIA should include, especially, the measures, safeguards and mechanisms envisaged for mitigating that risk and ensuring the protection of personal data.

    The outcome of the assessment must be considered when determining the TOMs. Where a DPIA indicates that processing activities involve a high risk which the controller cannot mitigate by appropriate TOMs (e.g. no available technology or the costs of implementation are too high), a consultation of the supervisory authority should take place prior to the processing.

    Unfortunately, there is no central European register. Each member state can create its own blacklist. Therefore, a specific processing operation may require a DPIA in one member state, but not in another.

    The classification of a technology as “new” must be taking into account the current state of the art. 

    Scroll to Top
    legalweb.io
    Privacy
    Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
    asd as asd