CISO AG is capable of providing your organization with a detailed data protection impact assessment (DPIA) which is a critical requirement within the GDPR framework. We provide a swift assessment service that that will gauge your companies risk profile and vulnerable assets. We are highly experienced in assisting organizations in meeting the GDPR Article 35 requirements.
Specifically Article 35 stipulates that when processing and in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations with regards to the protection of personal data.
Pursuant to Article 35.4 of the Regulation and following the Opinion of the European Data Protection Board (EDPB), this Office established the following processing operations where a Data Protection Impact Assessment (“DPIA”) shall be required to be carried out by controllers prior to the processing.
For the purposes of ensuring consistency across the Union, the list of the kind of processing operations has been established after taking into account the guidelines on DPIAs that were adopted by the WP29 and subsequently endorsed by the EDPB.
The list is non-exhaustive in nature and shall complement and further specify such guidelines.
Processing of personal data that involves:
Fully or partially automated means of processing, including profiling, which produces legal effects concerning the data subjects or similarly significantly affects them.
Any processing of special categories of personal data and of data concerning vulnerable data subjects, through the use of innovative technologies or the implementation of new methods in existing technology.
Processing on a large scale of special categories of data, including, personal data relating to criminal convictions and offences.
Any processing activity involving biometric data for the purpose of uniquely identifying data subjects:
Any processing of genetic data, other than that processed by an individual health care professional when providing a related service directly to the data subjects, for the purpose of matching or combining datasets in a way that would exceed the reasonable expectation of the data subject.
Processing of personal data of vulnerable natural persons, in particular, concerning children, employees and individuals receiving any form of social assistance.
Processing of personal data for the purpose of the evaluation or scoring of aspects concerning the employee’s performance at work, or when the processing increases the power imbalance between the data subjects and the data controller, particularly, when the employees may be unable to easily consent to, or oppose, the processing of their data or exercise their rights.