Data protection impact assessment

from Wikipedia, the free encyclopedia

Data protection impact assessment (DPIA) is a structured risk analysis required in certain cases for the preliminary assessment of the possible consequences of data processing operations that the person responsible must carry out in accordance with data protection law.

The GDPR is regulated in Art. 35 of the General Data Protection Regulation (GDPR). It must therefore be carried out if, due to the type, scope, circumstances and purposes of the processing, there is likely to be a high risk for the rights and freedoms of natural persons. This is particularly the case with:

  • systematic and comprehensive evaluation of personal aspects of natural persons, which is based on automated processing including profiling and which in turn serves as the basis for decisions that have legal effects on natural persons or affect them in a similarly significant manner
  • extensive processing of special categories of personal data in accordance with Article 9 (1) or personal data on criminal convictions and offenses in accordance with Article 10 GDPR
  • systematic extensive monitoring of publicly accessible areas

The impact assessment contains at least the following:

  • a systematic description of the planned processing operations and the purposes of the processing, including, if applicable, the legitimate interests pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
  • an assessment of the risks to the rights and freedoms of the data subjects in accordance with paragraph 1 and
  • the remedial measures planned to address the risks, including guarantees, safeguards and procedures to ensure the protection of personal data and evidence of compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects

Processing operation

The term "processing operation" is not defined in the GDPR or the Federal Data Protection Act. Processing means all data processing activities that are necessary to fulfill a purpose. The information published by the responsible bodies in accordance with Art. 35 GDPR is sometimes referred to as a "list of processing operations".

supporting documents

  1. The doctor's practice - data protection and data security according to the new General Data Protection Regulation .
  2. List of processing operations - data protection wiki. Retrieved September 26, 2019 .