Data Protection Impact Assessment

If you have determined that the processing is likely to result in a high risk to the rights and freedoms of data subjects, you must carry out a data protection impact assessment (DPIA) for each processing operation.

The DPIA allows the controller to:

  • develop privacy friendly personal data processing operations and products,
  • assess the impact on the privacy of data subjects,
  • demonstrate that the fundamental principles of the GDPR are respected.

The goal is to assess the risks from the point of view of the data subject.

1. What are the goals of a data protection impact assessment (DPIA)?

Where a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

DPIAs are tools that help identify and minimize these risks for new projects. They are part of your accountability obligations under the GDPR and are in line with the principles of data protection by design and data protection by default.

A DPIA helps you to identify and address problems at an early stage, demonstrate compliance with data protection obligations, meet individuals’ expectations of privacy and prevent damage to the reputation of your organization.

To this end, it is important to integrate the DPIAs into your entity’s organizational processes and ensure that the results influence the entity’s plans.

In some cases, it is mandatory to carry out a DPIA. However, it can also be useful to carry out a DPIA in cases where it’s not mandatory.

2. What is meant by "the rights and freedoms of natural persons"?

The reference to the rights and freedoms of natural persons refers mainly to data protection and the protection of privacy but also, where appropriate, to other fundamental rights, such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, the right to freedom and freedom of conscience and religion.

3. When should a DPIA be carried out?

A DPIA is required where the processing is likely to create a high risk to the rights and freedoms of data subjects.

A DPIA shall in particular be required in the case of:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
  3. a systematic monitoring of a publicly accessible area on a large scale.

A DPIA may also be carried out on a voluntary basis in order to identify and deal as effectively as possible with the risks, even if they are minor, to the rights and freedoms of individuals.

It is recommended to read the guidelines of the European data protection authorities on DPIAs and determining whether the processing is "likely to result in a high risk".

Examples:

Examples of processing

Possible relevant criteria

DPIA required?

A hospital processing its patients’ genetic and health data (hospital information system).

  • Sensitive data
  • Data concerning vulnerable data subjects
  • Large scale processing

Yes

The use of a camera system to monitor driving behaviour on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.

  • Systematic monitoring
  • Innovative use or applying technological or organisational solutions

Yes

A company monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc.

  • Systematic monitoring
  • Data concerning vulnerable data subjects

Yes

An online magazine using a mailing list to send a generic daily digest to its subscribers.

  • None

No

An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchase behaviour on certain parts of its website.

  • Evaluation or scoring, but not systematic or extensive

No

 

4. What can a data protection impact assessment cover?

A DPIA may relate to a single data processing operation and can also be used to evaluate several similar processing operations in terms of nature, scope, context, purposes and risks.

5. What should a data protection impact assessment contain?

The following criteria can be used by data controllers to determine whether a DPIA or a DPIA methodology under consideration is sufficiently complete to meet the requirements of the GDPR:

  • A systematic description of the processing is provided [article 35, paragraph 7, point a)]:
    • The nature, scope, context and the of the processing are taken into account (recital 90)
    • The personal data concerned, the recipients and the period for which the personal data will be kept are specified;
    • A functional description of the processing operation is provided;
    • The assets on which the personal data are based (hardware, software, networks, individuals, paper documents or paper transmission channels) are identified;
    • Compliance with approved codes of conduct is taken into account (article 35, paragraph 8);
  • The necessity and the proportionality are assessed [article 35, paragraph 7, point b)]:
    • The measures envisaged to ensure compliance with the Regulation are determined, [article 35, paragraph 7, point d), and recital 90] taking into account:
      • Measures contributing to the respect of the principles of proportionality and necessity of processing, based on the following requirements:
        • Specified, explicit and legitimate purposes article 5, [paragraph 1, point b)];
        • Lawfulness of processing (article 6);
        • Adequate, relevant and limited data to what is necessary [article 5, paragraph 1, point c)];
        • Limited retention period [article 5, paragraph 1, point e)];
      • Measures contributing to the rights of the data subjects:
        • Information provided to the data subject (articles 12, 13 and 14);
        • Right of access and right to data portability (articles 15 and 20)
        • Right to rectification and right to erasure (articles 16, 17 and 19)
        • Right to restriction of processing and right to object (articles 18, 19 and 21)
        • Relations with the processors (article 28)
        • Guarantees surrounding the international transfers (chapter V)
        • Prior consultation (article 36)
  • The risks to the rights and freedoms of data subjects are managed [article 35, paragraph 7, point c)]:
    • The origin, the nature, the particularity and the gravity of the risks are assessed (recital 84) or, more specifically, for each risk (illegitimate access to data, unwanted modification of data, disappearance of data) from the point of view of the data subjects:
      • The sources of risks are taken into account (recital 90)
      • Potential impacts on the rights and freedoms of data subjects are identified in case of events such as illegitimate access to data, an unwanted modification of data or their disappearance;
      • Threats that could lead to illegitimate access to data, an unwanted modification or their disappearance are identified;
      • The probability and the gravity are assessed (recital 90);
      • The measures envisaged to deal with those risks are determined [article 35, paragraph 7, point d), and recital 90];
    • Interested parties are involved:
      • The opinion of the DPO is obtained (article 35, paragraph 2);
      • The point of view of the data subjects or their representatives are gathered, where appropriate (article 35, paragraph 9). 

 

6. I got an authorization by the CNPD to carry out a processing operation under the Amended Act of 2 August 2002. Do I need to carry out a DPIA?

The obligation to carry out a DPIA applies to existing processing operations that are likely to result in a high risk to the rights and freedoms of individuals and for which the associate risks have evolved, taking into account the nature, scope, context and purposes of the processing.

If the processing operations have been authorized by the CNPD and if they have not changed since their implementation, it is not mandatory to carry out a DPIA.

But, this also means that any processing operations where the conditions (scope, purposes, personal data collected, identity of data controllers or recipients, data retention period, technical and organizational measures, etc.) have changed since the authorization was issued by the CNPD and are likely to result in a high risk, require a DPIA.

Moreover, a DPIA may be necessary as a result of a risk evolution arising from processing operations, for example due to the use of new technology or the use of personal data for different purposes. Processing operations may evolve rapidly and new vulnerabilities may emerge. Therefore, it should be noted that revising a DPIA is not only useful for continuous improvement but also essential for maintaining the level of data protection in an environment that changes over time. A DPIA may also become necessary as a result of changes in the organizational or societal context of the processing activity, for example if it becomes apparent that the effects of certain automated decisions have increased or that new categories of persons concerned appear vulnerable to discrimination. In each of these examples, the factor in question may lead to a change in the risks arising from the processing activity concerned.

Conversely, certain developments can also reduce risks. Take, for example, a processing operation that has evolved so that decision-making is no longer automated or a monitoring activity that has lost its systematic nature. In this case, the risk review may show that a DPIA is no longer necessary.

7. When shall the CNPD be consulted?

The data controller must consult the CNPD in cases where the identified risks cannot be sufficiently addressed (i.e. the residual risks remains high). The CNPD will then give an opinion on the planned processing operation and the risk management of the controller (prior consultation).

Processing may only be carried out after implementing the recommandations in the opinion of the CNPD.

8. What information should be provided as part of a prior consultation?

The request for prior consultation must be sent to the CNPD with the form for submitting an impact assessment. It is imperative that the impact assessment addresses all the admissibility criteria in section “2. Criteria for an acceptable DPIA” of the form.

Missing criteria may result in the suspension of the processing of the DPIA until the missing information is obtained from the data controller.

The CNPD may request any other useful information in order to give an opinion.

9. How can an impact assessment be submitted to the CNPD?

The request for prior consultation shall be sent to aipd@cnpd.lu

You may use the downloadable gpg public key to secure the transmission of information by encrypting it.

10. What does the CNPD do after receiving a request for prior consultation?

The CNPD analyses the management of residual risk related to the DPIA.

It provides written advice to the controller and, where applicable to the processor within period of up to eight weeks of receipt of the request for consultation. That period may be extended by six weeks, taking into account the complexity of the intended processing. 

The CNPD shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the CNPD has obtained information it has requested for the purposes of the consultation.

11. How often should the impact assessment be reevaluated?

Carrying out a DPIA is not a one-time exercise. It is an an on-going process that helps you to manage the risks resulting from a processing. It is important to reevaluate the DPIA when there is a change of the risk represented by the processing operation.

If you make significant changes to how or why personal data are processed, or concerning the amount of data that is collected, you must demonstrate that your DPIA is assessing the new risks associated with those changes.

12. Should the DPIA be published?

Publishing a DPIA is not a legal requirement of the GDPR.

It is left upon the controller´s decision. However, data controllers should consider publishing their DPIA, or perhaps part of their DPIA. The purpose of such a process would be to help foster trust in the controller’s processing operations, and demonstrate accountability and transparency. 

Définitions :

  • "New technologies": processing involving the use of new technologies or new applications of existing technologies (e.g. artificial intelligence).
  • "Tracing an individual" processing that involves tracing the geolocation or behavior of individuals, including but not limited to the online environment.
  • "Target children": the use of children's personal data for marketing, profiling or automated decisions or the intention to offer online services directly to children.
Dernière mise à jour