Under the AVG, data controllers may be required to conduct a data protection impact assessment, or data protection impact assessment (DPIA) (Art. 35 AVG). For the civil service, this obligation already applied before the entry into force of the AVG. A DPIA is a methodology for mapping out the privacy risks of data processing in advance and mitigating them where possible. A DPIA is an important accountability tool. It not only helps your organization meet the requirements of the AVG, but also helps to demonstrate that appropriate measures have been taken in order to comply with the AVG (art. 5(2) jo. art. 24 AVG).
Organizations are not required to conduct a DPIA for every data processing operation. A DPIA is only mandatory if a data processing is likely to pose a high privacy risk to data subjects (Art. 35(1) AVG and WP 248).
Even if a DPIA is not mandatory, carrying out a (partial) DPIA is advisable in the case of (new) data processing. Such a case is referred to as a 'DPIA-light' or a 'Privacy Quick Scan'. In this way, organizations can also identify and mitigate privacy risks for these processing operations. A "DPIA light" or "Privacy Quick Scan" contributes to the demonstrability of compliance measures.
The DPIA must be carried out prior to the data processing in question if any of the following cases are involved (Art. 35 para. 1, 3 and 4 and Recitals 90 to 93):
When there is a high risk, given (Art. 35(1) AVG):
the use of new technologies;
The nature of the data processing;
the extent of data processing;
the context of data processing;
the purposes of data processing.
in the following situations (Art. 35(3) AVG):
your organization uses decision-making or similar measures based on automated processing such as profiling;
your organization processes special categories of personal data on a large scale;
your organization routinely and extensively inspects publicly accessible spaces.
the European Privacy Supervisors refined the criteria of Art. 35(3) AVG in WP 1248 and established additional criteria against which to assess whether there is a high risk. If the data processing meets more criteria, it is more likely to be high risk:
evaluating and assessing data subjects, including profiling and forecasting (see also Art. 35(3)(a) AVG);
automated decision-making with legal consequences or similar effects;
systematic observation, monitoring or control (see also Art. 35(3)(c) AVG);
processing of special, criminal or otherwise sensitive personal data (see also Art. 35(3)(b) AVG);
large data processing operations, considering the number of data subjects, the amount of personal data, the duration and geographical scope of the processing;
linking and combining datasets;
vulnerable data subjects who, given the situation, are less able to freely give consent or oppose data processing, such as employees, children, mentally challenged persons, asylum seekers, the elderly and patients;
use of new technologies; - cross-border movement of personal data to countries outside the European Union;
when the data processing is required by the national privacy regulator and is included in a designated list (blacklist) (Art. 35(4) AVG).
when a type of processing is not likely to present a high risk to the rights and freedoms of natural persons;
when the nature, scope, context and purposes of the data processing are so similar to a data processing for which a DPIA has already been carried out (WP 248);
when the data processing has already been supervised by the national privacy supervisor before May 25, 2018 and the circumstances have not changed (WP 248);
when the data processing is explicitly not required by the national privacy supervisor and is included in a list intended for that purpose (white list) (art. 35 paragraph 5 AVG);
when the data processing finds its legal basis in a legal obligation or a task of public interest (Art. 6 sub c or e AVG), and in the context of establishing this legal basis, a DPIA has already been carried out (Art. 35 paragraph 10 AVG);
when the processing has already been checked by the FG (WP 248).
In principle, your organization does not need to conduct a DPIA for existing processing operations, unless (one of) the situations below applies (recitals 89 and 171 AVG):
When an existing data processing operation - already reviewed by the privacy supervisor or FG - has been modified, given:
the scope of data processing;
the purpose of data processing;
the personal data processed from the data processing;
the identity of the controller or recipients of the data processing;
data processing retention periods;
technical and organizational measures of data processing;
modified risks of data processing.
in the context of evaluation and accountability when there is an existing data processing operation that is likely to present a high risk to the rights and freedoms of natural persons and for which a DPIA has not yet been carried out (Recitals 89 and 171 AVG, as well as Art. 5(2) AVG).
A data processing that focuses on a single topic or project, such as:
the introduction of a new access card system;
the commissioning of a hospital information system;
the systematic tracking of employee activities on the Internet;
the commissioning of an e-mail address list for sending information;
The display of advertisements on a Web site based on browsing behavior.
multiple data processing operations similar to each other, considering scope, purpose, context and risks, such as:
rolling out camera surveillance within multiple stations;
the commissioning of (smart) cameras on highways.
A data processing operation that focuses on the use of a new technology, including hardware or software, such as:
the introduction of a smart energy meter;
the introduction of an IoT device.
It is possible that there are examples above where, in the concrete case, there is no likelihood of the processing posing a high risk to the rights and freedoms of natural persons, as a result of which your organization does not have to carry out a DPIA. If this is the case, your organization must document why this is the case and why it has chosen not to conduct a DPIA (comply or explain) (see WP 248).
description of data processing characteristics - a systematic description of the intended processing operations and processing purposes, including, where applicable, the legitimate interests pursued by the controller;
assessment of lawfulness of data processing - an assessment of the necessity and proportionality of the processing operations in relation to the purposes
description and assessment of risks to data subjects - an assessment of the risks to the rights and freedoms of data subjects;
description of intended measures - the measures envisaged to address the risks and to demonstrate compliance with this Regulation;
the DPIA does not have to be published by the organization, but it is advised by the European Privacy Supervisors in order to increase trust and transparency. This may be different in case it is a DPIA for public authorities;
the DPIA should be provided to the Privacy Supervisor upon request.
if necessary, your organization should conduct a review to assess whether the current data processing is still carried out in accordance with the DPIA;
a review is mandatory if the risks of the data processing change;
European privacy regulators recommend as good practice that the DPIA be re-run every 3 years.
The DPIA must be conducted by or on behalf of the controller. However, your organization may need to seek advice or information from individuals within and/or outside your organization:
if your organization has appointed an FG, his advice must be incorporated into the DPIA. He must also supervise the execution of the DPIA (art. 35(2) and 39(1)(c) AVG and see above WP 248 and WP 243);
if your organization has appointed a Chief Information (Security) Officer (CISO / CIO), his advice must be incorporated into the DPIA (see above WP 248);
if your organization uses the services of a processor, the processor must cooperate in the execution of the DPIA (art. 28(3)(f) AVG);
your organization must process the views of data subjects or their representatives "where appropriate" when conducting the DPIA (art. 35(9) AVG). If this is not done or the opinion differs from that of the controller, this must be documented and justified (comply or explain). This view can be obtained in various ways:
Processing studies related to the purpose of data processing;
the views of a the team leader (if those involved are employees);
A survey of (prospective) customers.
For the civil service (not including: independent administrative bodies, defense, police, judiciary and decentralized authorities), the obligation to conduct a (D)PIA already applies since 2013. The government has drawn up an updated data protection impact assessment (PIA) test model for the civil service 2017 (in line with the AVG), which applies to the civil service. This model can be found on the government websiterijksoverheid.
if your organization cannot establish with certainty that a DPIA should not be carried out, the advice of the European privacy supervisors is to carry out a DPIA in those cases for the sake of certainty (WP 248);
if the DPIA shows that the data processing would pose a high risk if no measures are taken to mitigate the risk, the privacy supervisor must be consulted prior to the processing (Art. 36(1) AVG).
This is a checklist from the publication Checklist Privacy AVG: privacy policies in 57 checklists
This article can also be found in the AVG file
