Where a type of processing operation, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Article 35.3 of the GDPR establishes that a Data Protection Impact Assessment (DPIA) is required, in particular, in the case of:
“a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
b) processing on a large scale of special categories of data referred to in Article 9.3, or of personal data relating to criminal convictions and offences referred to in Article 10; or
c) a systematic monitoring of a publicly accessible area on a large scale.”
To determine what is meant by “large scale”, reference can be made to the Article 29 Data Protection Working Party opinion in their guidelines on Data Protection Officers (DPOs), which considers that assessment of whether the processing is conducted on a large scale should consider the following factors:
- the number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- the volume of data and/or the range of different data items being processed
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity.
Article 35.4 of the GDPR provides that supervisory authorities must establish and make public a list of the kind of processing operations that are subject to the requirement for a Data Protection Impact Assessment. This Authority considers that a DPIA must be carried out in the processing operations included in the following list (Catalan version available).
This list contains guidelines relating to the DPIA and determination of whether the processing is likely to result in a high risk as established in Regulation (EU) 2016/679, adopted by the Article 29 Data Protection Working Party on 4 April 2017 (hereinafter, WP 248) and endorsed by the European Data Protection Board at its Meeting of 25 May 2018.
The list is not exhaustive and will be updated regularly. The absence of a particular processing operation from the list does not signify that no DPIA is required. Confirmation should always be made that the processing is not likely to result in a high risk to the rights and freedoms of natural persons, especially if new technologies are being used.
These criteria apply not only to controllers that wish to carry out processing operations included in the list, but also to bodies and institutions that intend to draw up a draft legislative provision which involves one or more of those operations. In such a case, if the draft legislation has been subjected to a Data Protection Impact Assessment, the controller will not be required to conduct another following enactment.
Once the DPIA has been performed and prior to initiating the processing, the controller should submit a consultation addressed to this Authority, unless the existence of the high risk to the rights and freedoms of natural persons has been mitigated by implementation of the appropriate technical and organisational measures.
For further information, see the Guidelines of the Article 29 Working Party on the Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of Regulation (EU) 2016/679 (WP 248), endorsed by the European Data Protection Board (EDPB) at its Meeting of 25 May 2018.
APDCAT Guide to the Data Protection Impact Assessment in the GDPR .
You will find a Data Protection Impact Assessment (DPIA) template through this link.