Processing operations which are likely to pose high risks to the rights and freedoms of individuals should be subject to data protection impact assessment. The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
When is a Data Protection Impact Assessment (DPIA) required?
A data protection impact assessment is required at least in the following cases:
• a systematic and extensive evaluation of the personal aspects of an individual, including profiling,
• processing of sensitive data on a large scale,
• systematic monitoring of public areas on a large scale.
The controller shall consult the supervisory authority if the impact assessment indicates that processing presents risks that cannot be mitigated
The role of the processor
The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.