Nadradený pojem:
Susedné pojmy:
Ktorých spracovateľských operácií sa DPIA týka?
Zobraziť pojem v strome
Doména: Európska únia
Definícia
Podľa metodiky:
"When is a DPIA mandatory? Where a processing is “likely to result in a high risk”.
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons.
The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)).
It is particularly relevant when a new data processing technology is being introduced. In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help data controllers comply with data protection law.
Even though a DPIA could be required in other circumstances, Article 35(3) provides some examples when a processing is “likely to result in high risks”: - “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person10 ; - (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1011 ; or - (c) a systematic monitoring of a publicly accessible area on a large scale”.
As the words “in particular” in the introductory sentence of Article 35(3) GDPR indicate, this is meant as a non-exhaustive list. There may be “high risk” processing operations that are not captured by this list, but yet pose similarly high risks. Those processing operations should also be subject to DPIAs.
For this reason, the criteria developed below sometimes go beyond a simple explanation of what should be understood by the three examples given in Article 35(3) GDPR.
"When is a DPIA mandatory? Where a processing is “likely to result in a high risk”.
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons.
The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)).
It is particularly relevant when a new data processing technology is being introduced. In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help data controllers comply with data protection law.
Even though a DPIA could be required in other circumstances, Article 35(3) provides some examples when a processing is “likely to result in high risks”: - “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person10 ; - (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1011 ; or - (c) a systematic monitoring of a publicly accessible area on a large scale”.
As the words “in particular” in the introductory sentence of Article 35(3) GDPR indicate, this is meant as a non-exhaustive list. There may be “high risk” processing operations that are not captured by this list, but yet pose similarly high risks. Those processing operations should also be subject to DPIAs.
For this reason, the criteria developed below sometimes go beyond a simple explanation of what should be understood by the three examples given in Article 35(3) GDPR.