Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
Home Page Contact Ελληνικά
 

LOGO

Home Page / Information for data controllers / Impact Assessment (DPIA)

Impact Assessment (DPIA)

Data Protection Impact Assessment

INTRODUCTION

· Data Protection Impact Assessment (DPIA) is a process that helps organisations to identify and minimise risks resulting from the processing operations.
· It is recommended that DPIA be carried out for certain types of processing listed in the indicative list or in any other processing operation that are likely to result in a high risk to the rights and freedoms of natural persons,.
· It is also good practice to carry out a DPIA in any other significant activity which requires the processing of personal data.
· A DPIA must:
- Describe the nature, the scope, the context and the purposes of processing;
- Evaluate the necessity, proportionality and measures for compliance;
- Identify and assess the risks for individuals;
- Define any additional measures for the mitigation of such risks.
· To assess the level of risk, organisations must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
· The data controller must seek the advice of the Data Protection Officer (if appointed) and, as the case may be, may also seek the views of the data subjects and experts. The processors may also contribute.
· If an identified high risk cannot be mitigated, the controller must consult the Commissioner before initiating the processing.
· The Commissioner may provide written advice in complicated cases. If appropriate, the Commissioner may issue a formal warning not to process the data, or ban the processing altogether. Non-compliance with DPIA requirements can lead to fines imposed by the Commissioner.
· The European Data Protection Board has issued guidelines aiming at a better implementation of the provisions of the GDPR in this field.

When a DPIA must be carry out by a controller?

For each processing activity, especially through the use of new technologies, which is likely to result in a high risk to the rights and freedoms of natural persons, carrying out a DPIA is required prior to the processing, to identify the measures envisaged to mitigate those risks to an acceptable level and to demonstrate compliance with the GDPR.

Criteria defining when there is a high risk:

1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person, or

2. processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or.

3. A systematic monitoring of a publicly accessed area on a large scale.

Definitions/clarifications:

Special categories of personal data: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Large scale processing: The Regulation does not define what constitutes a large scale processing nevertheless recital 91 provides certain guidance.

The EDPB recommends that the following parameters be taken into consideration in deciding whether a processing is done on a large scale:

(a) The number of the data subjects involved, whether as a specific number or a percentage of the relevant population.
(b) The volume of data and/or the range of different data items being processed.
(c) The duration or the permanence of the data processing activity.
(d) The geographical extent of the processing activity.

Systematic monitoring: processing used to observe, monitor or control data subjects, including the data collected through networks.

One or more of the following meanings shall be attributed to the term “systematic”:

- occurring according to a system;
- pre-arranged, organised or methodical;
- taking place as part of a general plan for data collection;
- carried out as part of a strategy.

“Publicly accessible area” is any place open to any member of the public, for example a piazza, a shopping centre, a street, a market place, a train station or a public library.

Note: the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA, regardless of the measures which the controller envisages to adopt. However, in certain cases in which only one of the said criteria is met the data controller may still decide to carry out a DPIA.

Conversely, a processing operation may correspond to the above mentioned cases and still be considered by the controller not to be “likely to result in a high risk”. In such cases the controller should justify and document the reasons for not carrying out a DPIA, and include/record the views of the data protection officer.

Below is an indicative list of processing operations that require a DPIA.

Moreover, in the context of the principle of accountability, each controller must keep a record of processing activities under his responsibility, in which should be included inter alia, the purposes of processing, and should assess if the processing is likely to result in a high risk, even if eventually the controller decides not to carry out a DPIA.

In which cases the DPIA is not required?

When the processing “is not likely to result in high risk to the rights and freedoms of natural persons.”

For example:
· A processing of the personal data of patients or clients of an individual physician or other health care professional,

· A processing of personal data of the clients of a lawyer,

· An on-line magazine that uses mailing list for sending general daily newsletters to its subscribers,

· An e-commerce website displaying adverts for vintage car parts involving limited profiling based on items viewed or purchased on its own website.

What is applicable to ongoing processing activities?

The need to carry out a DPIA applies to ongoing processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, taking into consideration the nature, scope, context and aims of the processing.

When should a DPIA be carried out?

A DPIA should be undertaken prior to the processing. This is consistent with data protection by design and by default principles (Article 25 of the GDPR). The DPIA should be seen as a tool for helping decision-making concerning the processing.

Whose responsibility is it to carry out a DPIA?

The controller is responsible for ensuring the conduct of a DPIA. A DPIA may be carried out by another person, within or outside the organisation, however the ultimate responsibility for the particular task lies with the controller. It the processing or part thereof has been delegated to a processor, the processor is obliged to provide assistance to the controller during the DPIA.

The controller must also seek the views of the data protection officer (DPO), where appointed.

The data controller must seek the views of data subjects or their representatives, whenever necessary.

What is the methodology to carry out a DPIA?

Various methodologies may be used, albeit applying common criteria.

The GDPR allows for flexibility to the controllers in determining the precise structure and form of a DPIA, in order for it to fit the existing work practices. There are numerous established procedures within the EU and worldwide that take into consideration the components described in recital 90. However, whatever its final form, the DPIA must constitute a real assessment of risks, affording the controllers the possibility of taking measures to address them.

Examples of existing DPIA templates of the EU can be found in Annex 1 to the guidelines.

In Annex 2 to the guidelines there are certain common criteria that have been defined so as to allow the controllers to adopt different approaches, while at the same time complying with the GDPR. These criteria clarify the basic requirements of the Regulation and provide sufficient ground for the use of different forms of implementation. Such criteria can be used to demonstrate that a specific DPIA methodology meets the required standards laid out by the GDPR. The controller has the competence to choose the methodology, which, however, must conform to the criteria of Annex 2.

You will also find below indicative questions that can be used when carrying out a DPIA.

Is there an obligation to publish the DPIA?

No. The publication, however, of a summary could help in building trust, while the full DPIA must be communicated to the Commissioner, in case of prior consultation or if requested by the Commissioner.

When must the supervisory authority be consulted?

When the residual risks are high.

The data controller is responsible for the assessment of risks to the rights and freedoms of data subjects and for identifying the measures to reduce those risks to an acceptable level, as well as for demonstrating compliance with the GRDP.

An example of mitigating the risks which has to do with the storage of personal data on laptops could be the use of suitable technical and organisational security measures (effective full disk encryption, strong key management, appropriate access control, secured backups etc.) in addition to existing policies (notice, consent, right of access, right to object, etc.).

Only in those cases where the controller cannot find sufficient measures for the mitigation of risks to an acceptable level (i.e. the residual risks remain high) consultation with the Commissioner is required.

For the purposes of consultation, the controller must submit to the Commissioner the following:
· The data protection impact assessment
· Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings; The purposes and the means of the intended processing
· The measures and safeguards provided to protect the rights and freedoms of data subjects under the Regulation
· The contact details of the Data Protection Officer, if appointed

In brief

When designing a processing operation that involves high risk, the controller should ensure to:
· choose a methodology for the DPIA (examples are set out in Annex 1) or define and apply a systematic DPIA methodology which -
        - meets the criteria of Annex 2;
        - is integrated into the existing processes of design, development, modification and review of risks and functions in accordance with the internal processes, context and mentality;
        - includes the relevant stakeholders and clearly defines their responsibilities (data controller, Data Protection Officer, data subjects or their representatives, technical support, persons carrying out the processing, information security officers etc.).
· submit the DPIA report, if so required, to the Commissioner;
· consult the Commissioner where sufficient measures for the mitigation of high risk have not been defined;
· review regularly the DPIA and the processing under evaluation, at least when the risk posed by the processing activity has changed;
· substantiate the decisions made.


Indicative questions in the course of conducting a DPIA

1. Description of the processing operations: occasional or continued?

2. In which departments of the organisation, IT systems and infrastructure does the DPIA relate?

3. What is the purpose of the processing operation?

4. What is the legitimate interest pursued by the controller?

5. What are the benefits of the intended processing operation to the controller, to the data subjects and possibly to third parties?

6. What are the categories of personal data that will be processed? State precisely the special categories of personal data and whether personal data concerning criminal convictions and offences will be processed.

7. Which categories of natural persons are affected?

8. What are the sources of personal data collection?

9.1. Is a retention period set out for storing personal data?

9.2. How long is the retention period?

9.3. What is the procedure for deleting the data? e.g. automatically.

10. 1. Is the intended processing operation in line with the basic principles governing the processing of personal data? (article 5 of the Regulation)

10.2. In which way the intended processing operation is necessary and proportional to the purpose pursued?

11. What is the legal basis for the intended processing operation (articles 6 and 9 of the Regulation)?

12. 1. Will personal data be disclosed or communicated outside the organisation? Who will be the recipients and what is the purpose of the disclosure or communication?

12.2. What is the legal basis for the said disclosure or communication (articles 6 and 9 of the Regulation)

13. What are the existing technical and organisational security measures being applied for the protection of the rights and freedoms of individuals against the processing of personal data? Give detailed description.

14. Are these measures updated regularly in order to take account of new technological developments?

15. Have security risks or possible adverse effects on the protection of personal data (risks to the rights and freedoms of data subjects) been identified?

16. Do current IT systems provide protection against the security risks identified?

16.1. If the answer is yes, provide details on how the current systems offer appropriate protection against security risks.

16.2. If answer is no, list the measures to be taken by the organisation to ensure the mitigation of such risks.

17. Which persons/departments will undertake the management and control of the proper implementation of measures and what is the time-limit for completing these tasks?

18. Are there any procedure defined to ensure the exercise of data subjects’ rights?

19. In the event of automated decision making (e.g. profiling), what is the logic, significance and results of such processing on the data subjects?

20. 1. Will the personal data of individuals be transferred to third countries?

20.2. If personal the answer is yes, what are the legal grounds for such transfer (articles 45 to 49 of the GDPR)?

21. Was an agreement concluded with another controller where the purposes and means of the processing are jointly determined?

22. 1. In the event where the processing or part thereof is to be carried out by a processor is this processing governed by a contract?

22.2. Is the said contract binding on the processor as regards to the obligations stemming from article 28(3) of the Regulation?

23. Was there any security risks identified and/or for the rights and freedoms of the data subjects, the mitigation of which was not possible through the application of the existing measures and/or after additional ones were taken?

24. Who are the people involved for carrying out the DPIA and what is their position within the organisation?

For more details, please check the guidelines below on impact assessment prepared by the EDPB (4 October 2017).




Κατεβάστε το αρχείο τύπου Acrobat Indicative DPIA list.pdf

Κατεβάστε το αρχείο τύπου Acrobat Guidelines on DPIAs ENG.pdf

Back To Top