Zurück

Data protection impact assessment (DPIA)

What is a DPIA? A DPIA, as defined under Article 35 of the GDPR, is a process designed to identify and mitigate any potential risks …

Zurück

What is a DPIA?

A DPIA, as defined under Article 35 of the GDPR, is a process designed to identify and mitigate any potential risks to individuals’ privacy and data protection rights arising from data processing activities. It is a tool used to evaluate the potential impact of data processing operations on individuals’ privacy and ensure compliance with the GDPR.

Georgine Berger

“The DPIA needs to be carried out prior to the processing, ensuring that the processing activities cannot begin until the DPIA has been completed. It is recommended to initiate the DPIA as early as possible during the planning phase of the processing operation.”

When do I need a DPIA?

A DPIA is mandatory where data processing is likely to result in high risks to individuals’ rights and freedoms. The GDPR specifies the following instances where a DPIA is required:

  • in case of system and extensive evaluation of personal aspects that is based on automated processing and significantly effects individuals
  • in case of large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, or data concerning health
  • in case of systematic monitoring of publicly accessible areas on a large scale
  • in case the kind of processing operation is included on a “black list” of the competent data protection authority
  • a high risk is identified on the basis of preliminary assessment taking into account the nature, scope, context and purposes of the processing

Sebastian Riedlmair

“A common case where a DPIA is required is the combination of fingerprint and facial recognition for the purpose of enhanced access control.”

What is a blacklist?

A blacklist is a list issued by the competent data protection authority that refers to data processing activities that are considered to pose significant risks to individuals’ privacy and data protection rights. If a particular processing activity is included on a blacklist, a DPIA is mandatory.

Each member state can create its own blacklist. This means that a processing operation may require a DPIA in one Member State, but not in another.

What is a whitelist?

A whitelist is a list by the competent supervisory authority that includes processing operations that do not require an extensive assessment of potential risk.

When a processing activity is included on the whitelist, it signifies that it has already been assessed and determined to pose minimal risks to individuals’ privacy and data protection rights.

The list allows organizations to focus their DPIA efforts on higher-risk activities while maintaining ongoing compliance and efficient resource allocation.

Each member state can create its own whitelist. This means that a processing operation may require a DPIA in one Member State, but not in another.

Georgine Berger

“It is important to note that even whitelisted activities require continued monitoring and adherence to data protection principles and regulations.”

What does a DPIA contain?

A DPIA contains:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

    • What is the purpose and benefit of a DPIA?

    The primary purpose of conducting a DPIA is to proactively assess the risks associated with data processing operations, enabling organizations to implement appropriate measures to mitigate or eliminate those risks. By conducting a DPIA, organizations can:

    • Identify and minimize risks: A DPIA helps organizations identify and evaluate potential risks to individuals’ data protection rights. By identifying these risks, organizations can implement necessary safeguards and security measures to minimize or eliminate them.
    • Demonstrate compliance: Conducting a DPIA demonstrates an organization’s commitment to GDPR compliance. It showcases a proactive approach to protecting personal data and ensuring the privacy rights of individuals.
    • Enhance trust and transparency: By conducting a DPIA, organizations show their dedication to transparency and accountability, thereby building trust with individuals whose data they process. It demonstrates that the organization values the privacy and security of personal information.

    Peter Harlander

    “Especially with new technologies such as artificial intelligence, it is always necessary to check whether a DPIA is required.”

    What is the penalty for not conducting a DPIA?

    The fine for not conducting a DPIA when required, can be up to €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

    The actual penalty imposed may depend on various factors, such as the nature and extent of the violation, the cooperation of the organization, the measures taken to mitigate risks, and the organization’s previous compliance history. Each supervisory authority has the discretion to determine the appropriate penalty based on these factors.

    FAQs

    What does a DPIA contain?

    A DPIA contains:

    • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
    • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • an assessment of the risks to the rights and freedoms of data subjects
    • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

    When do I need a DPIA?

    A DPIA is needed where data processing is likely to result in high risks to individuals’ rights and freedoms. Here are some examples when a DPIA is required:

    • in case of systematic and extensive evaluation of personal aspects that is based on automated processing and significantly effects individuals
    • in case of large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, or data concerning health
    • in case of systematic monitoring of publicly accessible areas on a large scale
    • in case the kind of processing operation is included on a “black list” of the competent data protection authority
    • a high risk is identified on the basis of preliminary assessment taking into account the nature, scope, context and purposes of the processing

    Who is responsible for the carrying out of a DPIA?

    The controller is responsible for the carrying out of a DPIA to evaluate, especially, the source, characteristics, specificity, and severity of that risk.

    When must the DPIA be carried out?

    The controller must carry out the DPIA prior to the processing. The processing may not take place before the assessment of likelihood and severity of the risk.

    What must be included in the DPIA?

    The DPIA should include, especially, the measures, safeguards and mechanisms envisaged for mitigating that risk and ensuring the protection of personal data.

    What if the DPIA shows that the processing involves high risk for data subjects?

    The outcome of the assessment must be considered when determining the TOMs. Where a DPIA indicates that processing activities involve a high risk which the controller cannot mitigate by appropriate TOMs (e.g. no available technology or the costs of implementation are too high), a consultation of the supervisory authority should take place prior to the processing.

    Where do I find the blacklist?

    Unfortunately, there is no central European register. Each member state can create its own blacklist. Therefore, a specific processing operation may require a DPIA in one member state, but not in another.

    When is a technology considered “new”?

    The classification of a technology as “new” must be taking into account the current state of the art. 

    Recommended Readings

    Data Protection

    Software distributor, Dedalus Biologie faced a 1.5 million fine for data breach and other GDPR violations.

    The French Data Protection Authority had identified multiple GDPR infringements...

    Data Protection

    The EU-U.S. Data privacy Framework is here: U.S. companies can now self-certify to participate in cross-border transfers of personal data.

    On July 10, 2023, the European Commission announced the adoption of its adequacy decision under the EU-U.S. Data Privacy Framework (DPF)...

    Data Protection

    Five-digit fine for unlawful use of GPS tracking software in company vehicles

    The Data Protection Authority of Bremen, Germany has imposed a five-digit...

    Data Protection

    The Italian data protection authority has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a., a European beauty and cosmetics retailer for various GDPR violations.

    Douglas asked their customers to give their consent to the privacy notes, the cookie policy, and the General Terms and Conditions all at once. The Data Protection Authority considered this a violation ...

    Wo We Are

    Savvy humans - good to know

    Mariella Stubhan

    Co-Founder/CEO

    Georgine is specializing in data protection law and law with regards to new technology. She studied law at the University of Salzburg and at the University of the Pacific, McGeorge School of Law (California).

    Peter Harlander

    Co-Founder/CEO

    Peter Harlander is registered attorney both in Austria and Germany. He has dedicated his professional career as a lawyer for 20 years entirely to the legal aspects of data protection, IT, the internet, and marketing.

    Sebstian Riedlmair

    Co-Founder/CEO

    Sebastian Riedlmair is specializing in various legal aspects, including data protection law and the legal implications of new technologies. As data protection attorney he brings a wealth of legal expertise to our team.

    Matthias Redl

    Co-Founder/CEO

    Matthias is an experienced software architect and CEO of legal web GmbH, a company that implementing a legally compliant CMP. His expertise supports us in the areas of software architecture and development with regard to compliance and implementation of legal requirements.

    Schedule a Free Video Call

    Pick your preferred time-slot directly

    Bayerhamerstraße 14, 5020 Salzburg - AUSTRIA

    +43 662 243130

    office@dataprotectionofficer.io

    Contact | Imprint | Terms & Conditions | Privacy

    legalweb.io
    Imprint Privacy
    Privacy
    Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
    Other content (1)
    Integration of additional information
    Calendly Terminvereinbarung
    Calendly, Inc., USA
    Detailsto Calendly Terminvereinbarung
    back to overview
    asd as asd