The data protection impact assessment, or DSFA for short, under Art. 35 of the GDPR is mandatory for all companies and public authorities that use processing operations that are likely to result in a high risk for the data subject.
“Where, by virtue of the nature, scope, context and purposes of the processing, a form of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular where new technologies are used, the controller shall carry out a prior assessment of the impact of the envisaged processing operations on the protection of personal data.”
(Art. 35 GDPR para. 1)
Obligation and practice of the DSFA
In practice, it is not uncommon to find that even otherwise informed and well-positioned companies are uncertain regarding the assessment of which processing operations do or do not require a DSFA under Art. 35. To date, the publications of the authorities have provided indications in this regard, but these cannot replace a qualified preliminary assessment by the appointed data protection officer, if one exists. This pre-audit is generally mandatory, and the result must be recorded in writing.
The DSFA Must-List
The DSFA must list of the Conference of Independent Federal and State Data Protection Authorities provides an initial point of reference. Processing operations listed here require a DSFA in any case. The must-do list contains an authoritative description of the processing activities for which a DSFA must be performed in any case, as well as typical fields of application and examples. The list is not exhaustive; even without being mentioned on the list, one or more processing operations may be subject to a mandatory DIA.
Criteria of the guideline in WP 248 of the Art. 29 Group
The WP 29 Group has provided criteria for considering whether a DSFA is required in Working Paper 248. The paper contains the following points:
- Assessing or classifying (profiling and forecasting).
- Automated decision making with legal effect or similarly significant effect
- Systematic monitoring
- Confidential or highly personal data
- Large-scale data processing
- Matching or merging of data sets
- Data on vulnerable data subjects
- Innovative use or application of new technological or organizational solutions
- Data subjects are prevented from exercising a right or using a service or performing a contract
If two or more points of the list of criteria in Group 29 apply, a DSFA must be performed. However, a DSFA may also be required if only one of the criteria mentioned is present.
Conducting a DSFA
It is advisable to involve the appointed data protection officer at an early stage in the check for a DSFA requirement. A DSFA should be performed by a DSFA team with the participation of the DPO. The management of a DSFA team should be in the hands of a qualified employee or external consultant. In addition to legal qualifications, this person should also have technical and organizational qualifications. If we are commissioned with the management and support of a DSFA, the management of a DSFA team is in the hands of a fully qualified lawyer with a doctorate in law and business informatics. Depending on the processing, Article 28 processors may also need to be involved in the DSFA process.
A DSFA is not to be understood as a one-time measure, but as a process according to the PDCA cycle. Initiated measures must be implemented and checked for effectiveness after realization.
Do you have any questions on this topic? Please do not hesitate to contact us using the contact options provided.