RGPD alt

This post is also available in: Español

Will organizations be required to carry out privacy impact assessment when carrying out any type of personal data processing?

No. A privacy impact assessment or data protection impact assessment (DPIA) is only required if a type of data processing is likely to pose a high risk for individuals’ rights and freedoms.

Data processing will be considered to entail a risk if one of the following factors applies: automated decision-making relating to the data subjects; assessment or rating of these persons; systematic monitoring; use of confidential data; large-scale processing; processing of vulnerable persons’ data; and transferring data outside the European Union (EU).

A DPIA is particularly required when the data processing involves (i) any systematic and extensive evaluation of personal aspects of data subjects based on automated processing, including profiling, on which decisions are based that produce legal effects for the individuals, or that could significantly affect them in a similar way; (ii) large-scale processing of sensitive personal data; and (iii) large-scale and systematic monitoring of a publicly accessible area. Moreover, the supervisory authorities are required to establish and make public a list of the processing operations that require a DPIA, as already occurred in Belgium, for example.

Conversely, when processing does not entail a high risk for individuals’ rights and freedoms, a DPIA is not necessary. Nor is a DPIA required when (i) a similar DPIA exists, or (ii) the processing operation has a legal basis in EU or Member State law and a DPIA has already been carried out as part of a general impact assessment within the establishment of that legal base. The national supervisory authorities can also establish a list of the processing operations for which no DPIA is required.

At the same time, the Article 29 Data Protection Working Party has clarified that a DPIA will only be necessary for processing operations started after the GPDR is applicable on May 25, 2018, or that change significantly after that date. Although not mandatory, a DPIA is recommended for processing operations already existing before May 2018; when there is a change of the risk resulting from the processing operation concerned; or when the organizational or societal context for the processing activity changes.

This post is also available in: Español



97 artículos