Data protection impact assessment and prior consultation

A Data Protection Impact Assessments (DPIA) is a tool to determine in advance the privacy risks involved in data processing. Article 35 and Article 36 impose the obligation to conduct a DPIA and to have prior consultation in certain cases.

Data Protection Impact Assessment (DPIA)

If there is a chance that a new type of processing (especially when using new technologies) may cause a high risk to the rights and freedoms of natural persons, the data controller needs to carry out a DPIA. This is especially the case with respect to:

• Automated decisions, including profiling;
• Special categories of data (Article 9) and data relating criminal convictions and offences (Article 10);
• Systematic monitoring of public spaces on a large scale.

Organisations don’t have to carry out DPIAs for all processing operations separately, one DPIA can address a set of similar processing operations that have a similar high risk. When carrying out a DPIA, the controller has to seek advice from the data protection officer (if there is one) and views from data subjects or their representatives (if appropriate).

The DPIA should contain at least:

• A systematic description of the processing operations, purposes and the legitimate interest;
• An evaluation of the necessity and proportionality of the processing operations in relation to the purposes;
• An evaluation of the risks to the rights and freedoms of data subjects;
• Possible measures to address risks and to demonstrate compliance.

A controller is exempted from carrying out a DPIA if:

• processing is necessary for compliance with a legal obligation to which the controller is subject;

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

If this processing has a legal basis (in EU or Member State law), that law regulates the specific processing operation or if the DPIA has already been carried out as part of general impact assessment. This means that, if a law (EU or national) requires processing and there has been a DPIA with the entry into force of that law, a DPIA is not required, unless the supervisory authority determines otherwise.

Prior consultation

A controller has a legal obligation to consult with the supervisory authority before processing if a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk. Based on this consultation, the supervisory authority provides the controller with written advice.

For prior consultation, the controller needs to provide the following information:

• The respective responsibilities of the controller, joint-controller, and processor;
• The purposes and means of data processing;
• Measures and safeguards taken to protect data subjects’ rights and freedoms;
• The contact details of data protection office (if applicable);
• The DPIA;
• Any other information requested by the supervisory authority.

If you want to know more about DPIAs you can read the guidelines drafted by the Article 29 Data Protection Working Party which you can find below under downloads.