Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

Data Protection & Cyber Security

Russia Small Flag Russia

Russian data protection laws require the data controllers to perform assessment of PII security systems at least each three years. The data controller may perform such assessment itself or engage the contractor having the license for the technical protection of confidential information issued by FSTEC (see Q. 2 above). Such assessment implies that the data controller:

  1. identifies and categorizes the types of security treats and sources of such treats (this is so-called security threat modeling);
  2. identifies the security characteristics (integrity, accessibility, confidentiality) affected by each security threat;
  3. determines the appropriate level of data protection and choses the legal, organizational, and technical security measures required to neutralize the identified threats.

Russian law is quite prescriptive in this regard and contains guidance and methodologies on how these procedures should be carried out.

Argentina Small Flag Argentina

The Data Protection Law does not require or recommend conducting risk assessments regarding data processing activities.

If approved, the Data Protection Bill (see question 1) would introduce an obligation for data controllers to conduct impact evaluations in those cases in which the nature, scope, context and purpose of the processing of data mean that there is a high risk of affecting data subjects’ rights.

Brazil Small Flag Brazil

The National Data Protection Authority may require that the controller must prepare a data protection impact assessment (DPIA), including sensitive data, referring to its data processing operations, in accordance with regulations, with due regard for trade and industrial secrets.

According to the LGPD, the DPIA shall contain the description of all personal data processing processes that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate these risks.

Bulgaria Small Flag Bulgaria

No special national rules have been adopted with regard to conducting risk assesments. The general requirements with regard to the performance of Data Proection Impact Assessments (DPIA) of Article 35 GDPR apply.

Data controllers are responsible for introducing appropriate safeguards to ensure compliance with the GDPR taking into account the risks of various likelihood and severity to the rights and freedoms of natural persons‘ (Article 35, para. 1 GDPR).

On 13.02.2019, the CPDP published on its website a list of the types of processing operations for which DPIA is required in accordance with Article 35, para. 4 GDPR. Pursuant to this list, data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:

  • Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
  • Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
  • Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;v
  • Processing operations for which the provision of information to the data subject pursuant to Article 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
  • Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
  • Regular and systematic processing for which the provision of information pursuant to Article 19 GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
  • Processing of personal data of children in relation to the offer of information society services directly to a child;
  • Migration of data from existing to new technologies when this is related to large scale data processing.

Article 35, para. 7 GDPR sets out the minimum features of a DPIA, namely:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks and demonstrate compliance with thе Regulation.

Switzerland Small Flag Switzerland

It is not required under the current FADP. However, it is still recommended that a legal analysis be conducted prior to implementing new data processing activities that might not be compliant with the FADP.

Spain Small Flag Spain

No official list of processes subject to the requirement of conducting risk assessments on data protection has been released by the Spanish authority, although there is a draft list submitted that relates to the offering of goods or services to data subjects, the monitoring of their behavior in several Member States and/or and the substantial affectation of the free movement of personal data within the Union. This draft list was examined by the European Data Protection Board and the AEPD will have to communicate the final decision to the Board amending or maintaining its draft list for its inclusion in the corresponding register.

Nevertheless, the Spanish authority has published two guidelines in order to help Controllers to carry out general risk assessments and data protection impact assessments, available only in Spanish language:

https://www.aepd.es/media/guias/guia-analisis-de-riesgos-rgpd.pdf

https://www.aepd.es/media/guias/guia-evaluaciones-de-impacto-rgpd.pdf

Chile Small Flag Chile

No.

Germany Small Flag Germany

According to Art. 35 GDPR, a data protection impact assessment (DPIA) must be performed if a type of data processing is likely to present a high risk to the rights and freedoms of the data subjects, given their nature, scope, circumstances and purposes.

Art. 35 (3) GDPR lists three situations that require a DPIA: In the case of systematic and extensive evaluation of personal aspects giving evidence about the personality and the capabilities of that person (e.g. profiling); in the case of processing certain personal data like data referred to in Article 9(1) (e.g. health data or about religious beliefs), or of personal data relating to criminal convictions and offences referred to in Article 10; in case of systematic monitoring of a publicly accessible area on a large scale.

In accordance with Art. 35(4)(5) GDPR, each national supervisory authority issues so-called ‘blacklists’ and ‘whitelists’, which contain a list of processing activities that require or explicitly do not require a data protection impact assessment. These lists can be published, a practice for example followed by the German authorities. The Blacklist published by the German Authorities include for example the processing of certain categories of personal data (e.g. biometric data under further requirements), cases of extensive processing and certain circumstances of processing (e.g. extensive aggregation and processing of data from different sources).

The GDPR provides minimum requirements regarding the scope of the data protection impact assessment which include:

  • a systematic description of the envisaged processing operations and purposes of the processing, including where appropriate the legitimate interests pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to their purpose(s);
  • an assessment of the risks to the rights and freedoms of the data subjects; and
  • the corrective measures envisaged to address the risks.

Depending on the scope of the DPIA, there are different approaches to assessment and documentation, ranging from workshops, task forces, audit and the like. It is always important to cover all eventualities in order to achieve a reliable and comprehensible risk assessment.

India Small Flag India

Privacy Rules

No such requirement has been prescribed under existing laws. From a practical perspective, such risk assessments would depend on the nature of reasonable security practices and procedures implemented by the body corporate.37

Privacy Bill

The Bill proposes for significant data fiduciaries to undertake data protection impact assessment in specific scenarios, including data processing basis usage of new technologies, large scale profiling or use of SPD, and any other processing activity which could pose significant risk of harm to the Data Subjects.

Such risk assessment must contain: -

(a) description of the processing activity, purpose of processing and nature of PD being processed;

(b) assessment of potential harm to Data Subjects; and

(c) measures for managing / minimizing / mitigating / removing such risk of harm.

37 - Please see our response to Queries 8 and 16 for more details.

China Small Flag China

A CIIO shall conduct security assessment where the personal information and important data generated from its operation in China need to be provided abroad for business reasons.23 A CIIO shall also by itself or entrust a cybersecurity service provider in conducting examination and assessment of its cybersecurity and potential risks at least once a year, and submit such results together with improvement measures to the competent authorities.24

Personal information controllers are advised by the PI Specification to establish a personal information security impact assessment system and regularly (at least once a year) conduct a personal information security impact assessment.25 The PI Specification advises personal information controllers to carry out risk assessments in some specific scenarios, such as when ensuring that the delegated processor has sufficient data security capabilities and provide sufficient security safeguards, when sharing and transferring personal information for reasons other than merger, acquisition and restructuring, where the personal information has to be publicly disclosed as authorized by the law or for reasonable cause, or where personal information collected and produced during operation in the mainland territory of the People’s Republic of China is transferred abroad,.26 Additionally. when laws and regulations have new requirements, or when a major change occurs to the business model, information system, or operational environment, or when a major personal information security incident transpires, a new personal information security impact assessment should be conducted.27

Personal information security impact assessment mainly aims at evaluating whether processing activities obey the basic principles of personal information security and assess the impact of personal information processing on the lawful rights and interests of PI subject.28 In carrying out the assessment, business find it helpful to refer to the non-binding draft guide named Information Security Technology – Security Impact Assessment Guide of Personal Information (《信息安全技术 个人信息安全影响评估指南》) (the “PIA Guide”). The PIA Guide provides details to the assessment regarding who should initiate, how to prepare and what factors should be considered and how to balance the factors.29

23 - CSL. § 37.
24 - CSL. §38.
25 - PI Specification. 10.2 a).
26 - PI Specification. 8.1 b), 8.2 a), 8.7.
27 - PI Specification. 10.2 c).
28 - PI Specification. 10.2 v).
29 - PIA Guide. 4.4, 5.2, 5.4-5.6, 6.

Indonesia Small Flag Indonesia

There is not any specific requirement to conduct risk assessments regarding data processing activities. However, GR 82/2012 requires ESO to implement risk management against potential damage and loss that may result from threat, disturbance, and hinderance toward its electronic system. It is further elucidated that the implementation of risk management shall be in the forms of risk analysis and formulation of mitigative and preventive steps against such incidents.

Portugal Small Flag Portugal

Under article 35 of the GDPR, carrying out a Data Protection Impact Assessment (DPIA) is mandatory in the case of:

a) A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

b) Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences;
c) A systematic monitoring of a publicly accessible area on a large scale.

On 30 November 2018 the CNPD published its Regulation 798/2018 with the (non-exhaustive) list of the processing operations subject to the requirement for a DPIA, which includes the following:

(i) Processing resulting from the use of electronic devices that transmit, via communication networks, data concerning health;

(ii) Combination of PII or processing that combines sensitive PII or data relating to criminal convictions and offences or data of a highly personal nature;

(iii) Processing of sensitive PII or data relating to criminal convictions and offences or data of a highly personal nature where they were not obtained from the data subject, in case it is not possible or feasible to ensure the right to information;

(iv) Profiling on a large scale;

(v) Processing that allows location or behaviour tracking (employees, customers or passers-by) in order to evaluate or classify data subjects, unless the data processing is necessary for the provision of services specifically required by the data subjects;

(vi) Processing of sensitive PII or data relating to criminal convictions and offences or data of a highly personal nature for archiving purposes in the public interest, scientific research purposes or statistical purposes), unless such processing is authorized by law that foresees adequate safeguards to the data subject rights;

(vii) Processing of biometric data for unambiguous identification of the data subjects, when the later are vulnerable persons, unless such processing is authorized by law and the latter is preceded by a DPIA;

(viii) Processing of genetic data of vulnerable persons unless such processing is authorized by law and the latter is preceded by a DPIA;

(ix) Processing of sensitive PII or data relating to criminal convictions and offences or data of a highly personal nature using new technologies or new use of existing technologies.

A DPIA, pursuant article 35.7 of the GDPR, must contain at least:

a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects; and

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the law, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Where appropriate, controllers must seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the DPIA at least when there is a change of the risk represented by processing operations.

Finally, Article 29 Working Party Guidelines on DPIA (WP248rev.01) provides guidance on how to carry out a DPIA that controllers, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.

United Kingdom Small Flag United Kingdom

Yes, a data protection impact assessment (DPIA) should be carried out where the intended processing is "likely to result in high risks" to data subjects.

Some examples of when a processing is "likely to result in high risks" includes:-

  • a systematic or extensive evaluation of personal aspects identified through means of automated processing, and on which decisions are based that produce legal effects or significantly affect the person;
  • processing special categories of data, such as health data, on a large scale or personal data relating to criminal convictions and offences; and
  • a systematic monitoring of a publicly accessible area on a large scale.

The current Information Commissioner's Office (ICO) guidance also indicates a DPIA should be conducted if the controller will:

  • use innovative technology (in combination with any of the criteria from the European guidelines available on the European Data Protection Board's website);
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data (in combination with any of the criteria from the European guidelines);
  • process genetic data (in combination with any of the criteria from the European guidelines);
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behavior;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The assessment should be carried out prior to any processing and contain at least:-

  • a description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks.

The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subject (or their representatives) on the intended processing, and consult the ICO prior to processing where the DPIA indicates the processing will result in a high risk due to the absence of available measures to mitigate the risk.

Sweden Small Flag Sweden

Yes, according to article 35 of the GDPR, a controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (data protection impact assessment) where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The data protection impact assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

The Swedish Data Protection Authority further has upheld the principle that a risk- and vulnerability analysis must be conducted prior to entering into a cloud computing contract. It is somewhat unclear whether this principle will still be upheld by the Swedish Data Protection Authority, following the entering into force of the GDPR.

In addition to the above, some organisations must also take into account the NIS Act and the NIS Ordinance.

In short, the NIS Act and the NIS Ordinance implement the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (the “NIS directive”) in Sweden.

The NIS Act and the NIS Ordinance apply to both:

  • operators of essential services (such as for example operators in the following sectors banking, health sector, transport, energy) who are established in Sweden, which provision of the essential service is dependent on network and information systems and where an incident would have a significant disruptive effect on the provision of the service, and
  • digital service providers who has its main establishment in Sweden or has appointed a representative which is established in Sweden.

The NIS Act and the NIS Ordinance explicitly requires operators of essential services to carry out a risk analysis which shall form the basis for the choice of the operators of essential services’ security measures in relation to networks and information systems that they use to provide essential services. The analysis shall include an action plan, be documented and updated annually.

The NIS Act also indirectly requires digital service providers to carry out a risk analysist. This as digital service providers are required to, in relation to the risk at hand, take appropriate and proportionate technical and organisational measures to manage risks that threaten the security in the networks and information systems that they use.

Greece Small Flag Greece

Article 35 par. 1 of the GDPR provides for a controller’ s obligation to conduct prior to processing a DPIA where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

Article 35 par. 3 of the GDPR indicates certain types of processing which shall be regarded as ‘’resulting in high risk’’.

The HDPA, in the exercise of its competences and pursuant to the relevant provisions, issued its Decision No 65/2018 by which it drew up and published a list of the types of processing which are subject to the requirement for a DPIA. It is noted, however, that the above list is not exhaustive and therefore, in case the requirements of article 35 par. 1 of the GDPR are met, the controller must conduct a DPIA and comply with all obligations arising from the GDPR. This list further supplements and specifies the respective Guidelines issued on DPIAs.

With regards to the method of conducting a DPIA, the GDPR provides certain flexibility in defining its exact structure and form, as it is not specified by detailed provisions. The same logic has been followed by the Greek draft law. Nevertheless, article 35 par. 7 of the GDPR provides that the assessment shall contain at least a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of data subjects, as well as the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

Turkey Small Flag Turkey

There are no provisions under the local legislation directly envisaging the conduct of privacy risk assessments. However, in similar fashion, the Board refers to the conduct of a balancing test with respect to the application of the legitimate interest condition, within published guidelines.

In this respect, the Board has recently published a summary decision prescribing the following conditions for considering the legitimate interest condition as a lawful ground for processing personal data:

  • The fundamental rights and freedoms of the data subject and the benefit of processing personal data must be at a competing level.
  • Processing personal data processing must be necessary in order to reach such benefit.
  • The legitimate interest must be existing, specific and clear.
  • If the legitimate interest of the data controller concerned follows the fundamental rights and freedoms of the data subject, a benefit must be provided, and it must be impossible to obtain this benefit in any other way and method without the processing of personal data.
  • When determining the legitimate interest, the benefit must be based on criteria that are transparent and accountable, such as the fact that this benefit affects a large number of people, is not intended solely for profit or economic benefit, or facilitates business processes or a process (for instance, not in a unit or a small number of staff, but in a corporate manner).
  • In this regard, the person concerned should be kept away from any foreseeable, obvious and imminent risk in order to prevent violation of the fundamental rights and freedoms, in particular the protection of personal data,
  • Taking all technical and administrative measures limited to the purpose in order to ensure the proper functioning of the law in a data recording system and to prevent damages and violations,
  • Ensuring compliance with the general principles relating to the processing of personal data,

In the above-specified context, the balance between the fundamental rights and freedoms of the individual and the legitimate interests of the data controller are deemed to be in balance.

Austria Small Flag Austria

According to art. 35 et seq. GDPR, a data protection impact assessment must be carried out before data processing begins for data processing operations, where the risk of an infringement of the rights of data subjects is likely to be high.

The Data Protection Authority has now published a list of processing operations, for which a data protection impact assessment is required in any case (so-called "black list"). Similarly, a "white list" has been published defining data processing operations that do not require a data protection impact assessment.

France Small Flag France

A DPIA should be carried out where the intended processing is "likely to result in high risks" to data subjects. According to the European Data Protection Board ('EDPB')'s guidelines, 9 criteria are used to determine whether a processing operation is likely to create a high risk to the rights and freedoms of natural persons, it is the case when a processing implies:

  • An evaluation or rating;
  • An automated decision making with legal or similar significant effect;
  • A systematic monitoring;
  • The collection of sensitive data or highly personal data;
  • The collection of personal data processed on a large scale;
  • Cross-referencing or combination of data sets;
  • Data concerning vulnerable persons;
  • Innovative use or application of new technological or organizational solutions;
  • Processing in itself which prevents individuals from exercising a right or benefiting from a service or contract.

The assessment should be carried out prior to any processing and contain at least:

  • A description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
  • An assessment of the necessity and proportionality of the processing operations;
  • An assessment of the risks to the rights and freedoms of data subjects; and
  • The measures envisaged to address the risks.

The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subjects (or their representatives) on the intended processing. A software to conduct DPIA made by the CNIL is available for free on its website.

Where the result of the DPIA indicates that the processing operations would present a high risk if the controller did not take measures to mitigate the risk, the latter must consult the CNIL before processing is carried out.

In addition to the guidelines adopted by the EDPB in October 2017, the CNIL has published a list of processing operations which require a DPIA:

  • Processing of health data for the care of individuals;
  • Processing of genetic data of vulnerable persons (e.g. patients, employees, children, etc.);
  • Processing operations profiling individuals for the purpose of human resources management;
  • Processing operations for the purpose of constantly monitoring the activity of employees;
  • Processing for the purpose of managing alerts (e.g. whistleblowing) in social and health contexts;
  • Processing operations for the purpose of managing alerts (e.g. whistleblowing) in professional context;
  • Processing of health data necessary for the establishment of a data warehouse or register;
  • Processing involving the profiling of individuals who may result in their exclusion from a contract or in its suspension or termination;
  • Shared processing of contractual breaches, which may lead to a decision to exclude or suspend the benefit of a contract;
  • Processing involving the profiling of individuals based on data from external sources;
  • Processing of biometric data of vulnerable persons (children, elderly, patients, asylum seekers, etc.);
  • Processing operations for management of social housing requests;
  • Processing operations for the purpose of providing social or medico-social support to individuals; and
  • Large-scale processing of location data.

However, this list is not exhaustive and processing operations not included in it may nevertheless be subject to a DPIA.

United States Small Flag United States

While periodic risk assessments are often advisable, data security risk assessments are explicitly required only for certain industries in a limited number of jurisdictions. However, security risk assessments are generally deemed to be a necessity of the reasonable security required by a myriad of state and federal laws. Privacy impact assessments have not been mandated by law in the U.S. as they have in other countries. However, the FTC and many state attorneys general have advised adoption of privacy-by-design and use of privacy impact assessments as a best practice.

Malaysia Small Flag Malaysia

The Personal Data Protection Standard 2015 prescribes a minimum list of security standards for data processed electronically and that a data user shall, take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction by having regard. This includes the use of removable media device for storing personal data is not permitted without written approval from the top management of the organization. Further, there are several sector-specific standards and guidelines, which require organisations to apply security measures.

For example, the Central Bank of Malaysia spells out in its policy document on the Management of Customer Information and Permitted Disclosures that all Financial Service Providers (FSPs) must identify potential threats and vulnerabilities that can result in theft, loss, misuse, or unauthorised access, modification or disclosure by whatever means. The policy document also states that FSPs must assess the likelihood that such threat and vulnerability will materialise and the potential impact it will have on the FSP and its customers in the event a customer information breach occurs.

Threats and vulnerabilities to customer information can be internal or external and could be due to negligence or deliberate act of any person. The risk assessment by FSPs must be proportionate to the size, nature and complexity of the FSP’s operations as well as the amount and sensitivity of customer information held. FSPs may leverage on existing arrangements, functions or tools that have a similar focus on managing risk to the confidentiality and security of customer information.

Gibraltar Small Flag Gibraltar

A DPIA is carried out by the data controller and is required in the following circumstances:

  • when undertaking a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in Article 9(1) of GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of GDPR; or
  • a systematic monitoring of a publicly accessible area on a large scale (e.g CCTV monitoring of a public place).

A DPIA is typically carried out as follows (Article 35(7) of GDPR):

  • producing a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller;
  • undertaking an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • undertaking an assessment of the risks to the rights and freedoms of data subjects that might arise as a result of the proposed processing of data; and
  • implementing measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

Ireland Small Flag Ireland

Yes, a DPIA should be carried out where the intended processing is "likely to result in high risks" to data subjects.

Some examples of processing where a DPIA is required are stated in the GDPR:

  • the systematic or extensive evaluation of personal aspects identified through means of automated processing, and on which decisions are based that produce legal effects or significantly affect the person;
  • processing special category data, such as health data, on a large scale or personal data relating to criminal convictions and offences; and
  • the systematic monitoring of a publicly accessible area on a large scale.

The current DPC's guidance also indicates a DPIA is required for certain types of processing operations where a documented screening or preliminary risk assessment indicates that the processing operations are likely to result in a high risk to the rights and freedoms of individuals, and they include (but are not limited to):

  • use of personal data on a large-scale for a purpose other than that for which it was initially collected;
  • profiling vulnerable persons (including children) to target marketing or online services at such persons;
  • use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
  • systematically monitoring, tracking or observing individuals’ location or behaviour;
  • profiling individuals on a large-scale;
  • processing biometric data or genetic data in certain cases; and
  • combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers.

The DPIA should be carried out prior to any processing and contain at least:

  • a description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks.

The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subject (or their representatives) on the intended processing.

Updated: June 17, 2019