Data Protection Impact Assessment

CISO AG is capable of providing your organization with a detailed data protection impact assessment (DPIA) which is a critical requirement within the GDPR framework. We provide a swift assessment service that that will gauge your companies risk profile and vulnerable assets. We are highly experienced in assisting organizations in meeting the GDPR Article 35 requirements.

Data Protection

Specifically Article 35 stipulates that when processing and in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations with regards to the protection of personal data.

A data protection impact assessment shall in particular be required in the case of:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  • a systematic monitoring of a publicly accessible area on a large scale.

What DPIA should contain at least, according to Article 35 of the GDPR

Systematic description purpose of processing

Systematic description envisaged processing operations

Legitimate interest pursued by controller (where applicable)

Assessment of necessity related to purposes

Assessment of proportionality related to purposes

Assessment of risks to rights and freedoms

Measures envisaged to address risks

Measures envisaged to demonstrate compliance

GDPR Article 35

Pursuant to Article 35.4 of the Regulation and following the Opinion of the European Data Protection Board (EDPB), this Office established the following processing operations where a Data Protection Impact Assessment (“DPIA”) shall be required to be carried out by controllers prior to the processing.

For the purposes of ensuring consistency across the Union, the list of the kind of processing operations has been established after taking into account the guidelines on DPIAs that were adopted by the WP29 and subsequently endorsed by the EDPB.

The list is non-exhaustive in nature and shall complement and further specify such guidelines.

Criterion 3 of WP248

Processing of personal data that involves:

  • observing, monitoring, or controlling data subjects’ behaviour, in particular, on the online environment;
  • specific circumstances where the controller is legally required to process personal data about data subjects without their knowledge;
  • operations concerning the use of geolocation data, including but not limited to, for the purpose of direct marketing; or
  • monitoring on a large scale of public spaces or private areas accessible by the public.

Criterion 2 of WP248

Fully or partially automated means of processing, including profiling, which produces legal effects concerning the data subjects or similarly significantly affects them.

Criteria 4 & 7 of WP248

Any processing of special categories of personal data and of data concerning vulnerable data subjects, through the use of innovative technologies or the implementation of new methods in existing technology.

Criterion 4 of WP248

Processing on a large scale of special categories of data, including, personal data relating to criminal convictions and offences.

Criteria 4, 3 and 7 of WP248

Any processing activity involving biometric data for the purpose of uniquely identifying data subjects:

  • when the data subjects are in a public space or in a private area accessible to the public;
  • when the biometric data are processed in conjunction with personal data related to   criminal convictions and offences;
  • when the biometrics are related to individuals who need high protection such as minors, employees, patients, mentally ill persons and asylum seekers.

Criteria 4 & 6 of WP248

Any processing of genetic data, other than that processed by an individual health care professional when providing a related service directly to the data subjects, for the purpose of matching or combining datasets in a way that would exceed the reasonable expectation of the data subject.

Criterion 7 of WP248

Processing of personal data of vulnerable natural persons, in particular, concerning children, employees and individuals receiving any form of social assistance.

Criteria 1 & 7 of WP248

Processing of personal data for the purpose of the evaluation or scoring of aspects concerning the employee’s performance at work, or when the processing increases the power imbalance between the data subjects and the data controller, particularly, when the employees may be unable to easily consent to, or oppose, the processing of their data or exercise their rights.