Performing an impact assessment of the envisaged processing operations of the protection of personal data

Purpose of the impact assessment procedure

This article aims to provide more information on the impact assessment set out in Articles 35 and 36 of Regulation (EU) 2016/679. Impact assessment is a reporting tool that helps controllers not only to comply with Regulation (EU) 2016/679 but also to demonstrate that appropriate measures have been taken for ensuring compliance with the Regulation. It is required where a particular type of processing, in particular using new technologies, and in view of the nature, scope, context and purpose of the processing, is likely to pose a high risk to the rights and freedoms of individuals. Then, before the processing is carried out, the controller shall assess the impact of the processing operations envisaged on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

A data protection Impact assessment is required in particular in the following cases, namely:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  • a systematic monitoring of a publicly accessible area on a large scale.

A data protection impact assessment is also required according to a list established and made public by the National Supervisory Authority in agreement with the European Committee for Personal Data Protection under Art. 35 (4) of Regulation (EU) 2016/679.

The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

Content of the data protection impact assessment

The assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Obligation to consult the Supervisory Authority

According to Article 36 (1) of Regulation (EU) 2016/679, the controller should consult the data protection supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Where the supervisory authority is of the opinion that the intended processing would infringe this Regulation (EU) 2016/679, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller. When consulting the supervisory authority, the controller shall provide the supervisory authority with:

  • where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
  • where applicable, the contact details of the data protection officer;
  • the data protection impact assessment provided for in Article 35; and
  • any other information requested by the supervisory authority.

Due to the above mentioned peculiarities that should be taken into account when carrying out a data protection impact assessment, it is advisable to seek assistance from a specialist with experience in this matter. Krasimira Kadieva will gladly assist you in carrying out a data protection impact assessment as required by the Regulation (EU) 2016/ 679.

Among the clients who have been consulted by Krasimira Kadieva over the past months with drafting of the documents required for compliance with the Regulation (EU) 2016/679, including drafting of data protection impact assessment, are service providers, software developers, digital agencies, e-shops, pharmaceutical companies, construction companies, accounting companies, transport companies, cosmetics manufacturers, food producers, career media, insurance brokers, restaurant owners, companies providing services in the construction, maintenance and commissioning of internal electrical installations, as well as a company that distributes heat pump, solar and air conditioning systems. Legal implementation of the GDPR is a two-way process in which the client’s assistance is required by filling of a special questionnaire and providing the necessary information for the preparation of the documents. Krasimira Kadieva has helped the clients in drafting of the necessary documents, as well as in the implementation of internal procedures for the fulfillment of the duties of the Controller, as well as inspection and control procedures.

Legal Disclaimer: This material prepared by Krasimira Kadieva aims to provide information about performing a data protection impact assessment. It does not constitute a legal opinion and cannot be interpreted as an individual consultation on any concrete facts or circumstances. The advice of a legal specialist should be obtained for specific questions and situations. For more information on the above mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website.