Data Protection Impact Assessment

In terms of Article 35 GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 

A data protection impact assessment shall in particular be required in the case of: 

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 

(c) a systematic monitoring of a publicly accessible area on a large scale. 

This Office is in the process of making public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. Such national list has been referred to the EDPB for an opinion pursuant to consistency requirements envisaged under Article 63 of the GDPR. 

DPIAs are not subject to the authorisation of the Commissioner. 

The controller shall only consult the supervisory authority prior to processing when, notwithstanding reasonable mitigating measures taken in terms of available technologies to address the high risks following the carrying out of a DPIA, residual risks would still be present in the processing operation.   

For more general information on this requirement, controllers may access the Guidelines on DPIAs that were adopted by the European Data Protection Board (previously the WP29) on 4 October 2017.

Click here to access guidelines​ developed by this Office outlining the minimum requirements, on the basis of which, controllers may develop their own DPIA template for the purpose of conducting a data protection impact assessment.