As the responsible party, you must ensure that a data protection impact assessment (DPIA) is carried out. In doing so, you must seek advice from various parties, where applicable. You do not have to carry out the DPIA yourself; you can also have someone else inside or outside your organization do this for you. You do remain ultimately responsible.
Has a data protection officer (FG) been appointed in your organization? If so, you must ask the FG for advice. You must include in the DPIA report what the FG has advised and what you have done with it. The FG is also tasked with monitoring the implementation of the DPIA.
Does a processor perform data processing on your behalf? Then the processor must support you in carrying out the DPIA and provide the information you need.
You should ask data subjects (the people whose data you want to process) or their representatives for their opinions if necessary.
Depending on your specific situation, there are several appropriate ways you can ask stakeholders for their opinions. For example, you can conduct an internal or external survey, consult consumer or employee organizations, or send your prospective customers a questionnaire.
Does your final decision differ from the views of data subjects? If so, you must document your reasons for going ahead with the processing or not. You must also document your reasoning if you deem it unnecessary to ask data subjects for their opinions.
Finally, it is advisable to identify and document which other parties in your specific situation may be involved in a DPIA and what their responsibilities then are. For example, the IT department, other departments and independent experts (such as lawyers, technicians, security experts, sociologists, etc.).
