Site icon Privacy-Security-Consulting

The Data Protection Impact Assessment (DPIA) according to Art. 35 GDPR

The data protection impact assessment, or DSFA for short, under Art. 35 of the GDPR is mandatory for all companies and public authorities that use processing operations that are likely to result in a high risk for the data subject.

“Where, by virtue of the nature, scope, context and purposes of the processing, a form of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular where new technologies are used, the controller shall carry out a prior assessment of the impact of the envisaged processing operations on the protection of personal data.”

(Art. 35 GDPR para. 1)

Obligation and practice of the DSFA

In practice, it is not uncommon to find that even otherwise informed and well-positioned companies are uncertain regarding the assessment of which processing operations do or do not require a DSFA under Art. 35. To date, the publications of the authorities have provided indications in this regard, but these cannot replace a qualified preliminary assessment by the appointed data protection officer, if one exists. This pre-audit is generally mandatory, and the result must be recorded in writing.

The DSFA Must-List

The DSFA must list of the Conference of Independent Federal and State Data Protection Authorities provides an initial point of reference. Processing operations listed here require a DSFA in any case. The must-do list contains an authoritative description of the processing activities for which a DSFA must be performed in any case, as well as typical fields of application and examples. The list is not exhaustive; even without being mentioned on the list, one or more processing operations may be subject to a mandatory DIA.

Criteria of the guideline in WP 248 of the Art. 29 Group

The WP 29 Group has provided criteria for considering whether a DSFA is required in Working Paper 248. The paper contains the following points:

If two or more points of the list of criteria in Group 29 apply, a DSFA must be performed. However, a DSFA may also be required if only one of the criteria mentioned is present.

Conducting a DSFA

It is advisable to involve the appointed data protection officer at an early stage in the check for a DSFA requirement. A DSFA should be performed by a DSFA team with the participation of the DPO. The management of a DSFA team should be in the hands of a qualified employee or external consultant. In addition to legal qualifications, this person should also have technical and organizational qualifications. If we are commissioned with the management and support of a DSFA, the management of a DSFA team is in the hands of a fully qualified lawyer with a doctorate in law and business informatics. Depending on the processing, Article 28 processors may also need to be involved in the DSFA process.

A DSFA is not to be understood as a one-time measure, but as a process according to the PDCA cycle. Initiated measures must be implemented and checked for effectiveness after realization.

Do you have any questions on this topic? Please do not hesitate to contact us using the contact options provided.

Diese Seite verwendet die Shariff-Lösung der Ct.
Ihre Daten werden erst dann an Dritte übertragen, wenn Sie auf den entsprechenden Button klicken.

Herzlichen Dank fürs Teilen und Bekanntmachen dieser Seite.

Exit mobile version