Data Protection Impact Assessment (DPIA) according to Article 35 DSGVO
The data protection impact assessment (DSFA) is in Article 35 GDPR and is a risk analysis that applies to the description and assessment of risks prior to the processing of certain data. The data protection impact assessment is a complex process within data protectionwhich does not have to be carried out prior to every data processing activity, but in the case of particularly critical processing operations which either use a certain automated system, or individual-related data special categories (according to Article 9 and the Article 10 of the GDPR). By assessing the risk during processing, this should be reduced.
The risk analysis or impact assessment for data processing already existed in the BDSG (old). The corresponding procedure was regulated in Section 4d (5) and (6) and required prior checking as soon as automated processing operations entailed particular risks for the rights and freedoms of the data subjects.
Most important information about the data protection impact assessment (DPIA):
- With the GDPR, data controllers are obliged to carry out a risk analysis for data processing.
- This risk analysis is the basis for deciding whether a data protection impact assessment (abbreviated to "DPIA") must be prepared if a high risk arises
- The legal requirements for DPIA are set out in the Article 35 GDPR described
- Certain organisations are obliged to carry out a DSFA
- The data protection supervisory authorities have drawn up lists of processing activities for which a DSFA must or must not be carried out
- The performance of the DPIA as well as the implemented measures to reduce identified risks are part of the documentation and accountability obligation pursuant to Art. 5 para. 2 GDPR.
- The data protection officer shall assist the controller in carrying out the DSFA according to the Art. 35 (2) DSGVO support
Content on the topic of data protection impact assessment and DSFA:
Whitepaper Implementing data protection impact assessment step-by-step in line with data protection requirements
In the whitepaper Data protection impact assessment step-by-step data protection compliant implementation you will find:
- Get information on the Definition of the data protection impact assessment
- Understand the Legal requirements from Article 35 of the GDPR
- Learn the minimum legal requirements to know about a DSFA
- Learn how to work in only 6 Steps Implement a data protection impact assessment
- Including The Muss lists of the DSK and the BfDI
What is a data protection impact assessment?
The Data protection impact assessment or "DPIA" for short is an instrument of the General Data Protection Regulation (GDPR)to protect personal data in processing activities. This protection is ensured through risk analysis, which is used to examine the possible consequences of processing operations. Therefore, the DIA is also considered part of data protection risk management. The background of data protection law is described in Article 35 of the GDPR defined.
The aim of carrying out a DPIA is to take appropriate protective measures in the form of technical and organisational measures at an early stage in order to reduce the probability of occurrence of the identified risks.
The standard examples pursuant to Article 35 (3) of the GDPR: When is a data protection impact assessment mandatory?
Every company should check planned data processing operations to see whether they entail a risk to the rights and freedoms of natural persons. However, not every processing activity entails the obligation to carry out a data protection impact assessment.
- Systematic and comprehensive assessment personal aspects of natural persons which are related to automated processing including profiling and which in turn serves as the basis for decisions which have legal effect vis-à-vis natural persons or affect them in a similarly significant way;
- Extensive processing of special categories personal data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 (e.g. health data), or
- Systematic comprehensive monitoring publicly accessible areas (e.g. video surveillance);
From these three points, three cases can be derived in which public and non-public bodies are obliged to carry out a DSFA prior check:
- Credit reporting agencies that deal with personal scoring procedure work
- Organisations that systematically monitor publicly accessible rooms by video
- Organisations that collect, store and process data relating to criminal offences and criminal convictions
At what point should the DPIA be carried out?
A data protection impact assessment is a complex process of before starting processing must be carried out. However, existing processing activities must also be reviewed to determine whether they also fall under the obligation of a DPIA. The Data Protection Conference (DSK) assesses the preparation of a DPIA as relatively time-consuming and recommends its implementation, supported by a data protection management system. Especially since the preparation of the data protection impact assessment is not a one-time process, but rather a continuous process of preparation, execution, implementation and review. The assessment of risks per processing activity is linked to the Robin Data ComplianceOS® possible.
What is the must list of a data protection impact assessment according to Art. 35 (4) GDPR?
According to Art. 35 (4) DSGVO data protection supervisory authorities shall be obliged to publish a list of the processing operations for which a data protection impact assessment is to be carried out in accordance with paragraph 1. The supervisory authority shall communicate those lists to the Committee referred to in Article 68.
You will find an Overview of the must-do lists per federal state you will find in the section Publications and downloads.
If a processing activity is included in the list, a data protection impact assessment must be carried out for it. The lists of the supervisory authorities are continuously extended and are therefore not to be regarded as conclusive. As a matter of principle, controllers must check whether one of the cases from Art. 35 (3) DSGVO or a high risk according to Art. 35 para. 1 DSGVO is available.
What are the minimum contents of the data protection impact assessment pursuant to Article 35 (7) of the GDPR?
According to Art. 35 (7) DSGVO are the minimum requirements for carrying out an impact assessment described as follows:
- a systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
- an assessment of the risks to the rights and freedoms of the data subjects referred to in paragraph 1; and
- the mitigating measures envisaged to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.
Carrying out the data protection impact assessment in 6 steps
Step 1: Planning and analysis of the processing activity
The data protection impact assessment should be carried out before the introduction of the processing activity. As a first step, data controllers should therefore collect and describe planned processing activities and then check them by means of risk analysis. Existing processing activities must also be checked to see whether they also fall under the obligation of a data protection impact assessment. The preparation of the data protection impact assessment should not be regarded as a one-off process, but as a continuous process within data protection management.
Step 2: Check the need for a DPIA
The following approach is recommended:
- Check: Is the processing activity part of the "Must-List" of the competent supervisory authority)
- If not: If one of the points under Art. 35 (3) DSGVO to the processing activity?
- If not: Is there a high risk according to Art. 35 para. 1 DSGVO before? (Carry out the Threshold analysis)
- If not: No data protection impact assessment needs to be carried out
Step 3: Assessment of processing activities by means of threshold analysis
The register of processing activities contains all data processing processes of your company. The better the documentation of the processing activities, the easier the subsequent data protection impact assessment. Accordingly, the directory is also the starting point for the DPIA and, at best, the following is done directly in it threshold analysis of the respective processing activity and the classification of whether the respective processing activity requires a data protection impact assessment.
- Controllers can assess whether a DIA needs to be carried out for processing activities by means of a systematic risk assessment, the so-called threshold analysis.
- The results of the threshold analysis are part of the data protection documentation
- It is recommended to document the threshold analysis in the respective processing activity
- The preliminary stage of a risk analysis is an assessment of the need for protection of the personal data to be processed based on the types of data (customer data, employee data, tax data, health data, etc.).
A data protection impact assessment is necessary for a processing activity if the majority of the threshold analysis criteria are fulfilled. The criteria are taken from the WP 248 Rev. 01 to classify processing operations and are the following:
- Data of vulnerable data subjects are processed
- Transfer of personal data outside the EU takes place
- Novel technologies are used
- Scoring, profiling, evaluation of persons is carried out
- Data files of personal data are compared or merged
- Systematic monitoring of persons is carried out
- Personal data on a large scale are processed
- Impeded exercise of data subjects' rights exists
- Sensitive personal data are processed (Pursuant to Art. 9 DSGVO)
- Automated individual case decisions are carried out
Step 4: Assess the existing risks
Once the existing risks have been identified on the basis of the processing activities in the company, the level of risk to the rights and freedoms of natural persons must be assessed. For this purpose, the following aspects (Recital 75 of the GDPR) in more detail:
- Probability of occurrence and amount of damage: The probability of occurrence and the amount of damage of a risk can be classified as negligible, low, medium or high.
- Danger to the civil liberties of those affected: The processing of personal data that does not comply with data protection law can have far-reaching consequences. It can lead to physical, material or non-material damage. In particular, if the processing leads to discrimination, identity theft or fraud, financial loss, damage to reputation, and more.
- Assessment of the risk: On the basis of the possible consequences for the civil liberties of those affected, the overall risk for those affected must be assessed. The consequences for those affected range from no impairment, no particular impairment, impairment of reputation, existence or even danger to life, limb or personal freedom.
- Risk minimisation measures: Based on the previous steps, measures must therefore be defined with the help of which the existing risk can be avoided, transferred or mitigated.
- Implementation effort: The effort of the measures to be implemented should also be included. Measures should be implementable with a proportionate effort in relation to the purpose, risk and possibilities of the responsible party.
- Risk assessment after the measure has been taken: Controllers then assess whether the risk has been adequately reduced on the basis of the measures implemented. If the risk has not been adequately reduced, the processing activity concerned may not be continued.
Step 5: Selection of suitable measures to reduce the risks
The identified risks must be reduced or even prevented by appropriate measures. For this purpose, appropriate technical or organisational measures are selected, assessed and implemented. If it turns out during implementation that planned measures are not effective or sufficient to reduce the risks, new measures must be selected or the processing activities must be adapted. After the measures have been established, they are tested for their effectiveness.
Step 6: Documentation of the data protection impact assessment carried out
According to Art. 5 para. 2 GDPR. the controller is obliged to comply with a documentation and accountability obligation by which compliance with the General Data Protection Regulation must be demonstrated to the supervisory authority. The documentation of the data protection impact assessment carried out and a confirmation of the effectiveness of the implemented measures are important building blocks for fulfilling this obligation.
What can happen if companies do not perform a DPIA?
Insofar as a company does not carry out a data protection impact assessment, although this would be necessary, in the mildest case there is the threat of warnings and in the worst case fines by the data protection supervisory authorities. Thus, according to Article 83(4) of the GDPR fines for breaches of provisions relating to data protection impact assessment of up to EUR 10 million or, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater.
Is the implementation of the DPIA the responsibility of the data protection officer?
According to Article 35(1) GDPR the controller must carry out the data protection impact assessment. Since the DSFA is a complex procedure, the Data Protection Officer during the implementation according to Art. 35 (2) DSGVO support. This only applies in the event that a data protection officer has been appointed.
Support in the implementation of DPIAs
Implementing the various legal and normative requirements of data protection impact assessment can seem complicated. Regular reviews and updates of processing activities and data subject risk assessment are an essential part of your data protection management system. Our Data Protection Officers (DPOs) are happy to help you implement your DPIAs. Find out about the benefits, process and costs with Robin Data.
Data protection impact assessment with Robin Data software
Import processing activities
The special thing about Robin Data is that the data protection software already has thousands examples and templates from the area of data protection. These have been added by Robin Data's data protection officers and lawyers to the database of our compliance platform. entered into the system. You can import the processing activities that apply to your company from the Robin Data database with just a few clicks.
Perform threshold analysis
Use the online form to assess the risks posed to data subjects by this processing activity. As a rule of thumb, a data protection impact assessment is required if at least 2 or more of the following criteria are met fulfilled. If necessary, it is necessary to prepare a data protection impact assessment.
Carry out a data protection impact assessment
You can create several DPIAs per processing activity and thus treat several risks of this procedure separately. In many cases, it may be appropriate to prepare only one DPIA per procedure. You develop the necessary contents of the data protection impact assessment step by step and establish relevant contents for risk treatment.
Technical or organisational measures
Search Robin Data's database for suitable risk reduction measures and import them into your data protection documentation. You can store the selected measures directly with the corresponding processing activity.
Implement data protection documentation on the side
By working out the relevant steps for a data protection impact assessment in the Robin Data software, you document them simultaneously and automatically. You can export important components such as the list of processing activities as a PDF from the software and save it locally. In this way, you comply with the verification and accountability obligations of the GDPR and are prepared for an inspection by a data protection supervisory authority.
Visit our free demos
We regularly offer online demos in which we introduce you to our Robin Data data protection software. Get insight into the structure and functional scope of the digital activity report of the Robin Data software. Our experts will give you and other interested parties comprehensive insight and answer your questions.
Publications and downloads
European Data Protection Board
- Guidance on data protection impact assessment (DPIA) and answering the question whether a processing operation is "likely to result in a high risk" within the meaning of Regulation 2016/679 (WP 248 Rev. 01)
French Data Protection Supervisory Authority
The Federal Data Protection Commissioner's "must list" for data protection and information security
- List of processing operations pursuant to Article 35(4) of the GDPR for processing activities of federal public bodies
Data Protection Conference
- Brief Paper No. 5: Data Protection Impact Assessment according to Art. 35 DSGVO
- List of processing activities for which a DIA must be carried out
- Data Protection Impact Assessment - Bavarian Blacklist - List of processing operations pursuant to Art. 35 (4) GDPR for the Bavarian public sector (PDF)
- Data protection impact assessment (guidance)
- Data protection impact assessment - methodology and case study
The "must lists" of other federal states
- Baden-Württemberg (list for the non-public sector)
- Bavaria (list for the public sector) *
- Berlin (list for the non-public sector) / Berlin (list for the public sector)
- Brandenburg (list for public sector) / Brandenburg (joint list for public / non-public sector)
- Bremen (lists for the public / non-public area as direct download)
- Hamburg (List for the non-public sector) / Hamburg (list for the public sector)
- Hesse (joint list for public / non-public sector)
- Mecklenburg-Western Pomerania (list for public sector)*
- North Rhine-Westphalia (list for public sector)*
- Rhineland-Palatinate (list for public sector)*
- Saarland refers to the DSK list
- Saxony (joint list for non-public / public sector)
- Saxony-Anhalt (list for the public sector) *
- Schleswig-Holstein (joint list for public / non-public sector)
- Thuringia (joint list for public / non-public sector)
*Refers for the non-public area to the DSK List