r google-plus facebook twitter linkedin2 nujij M Monitor Nieuwsbrief pdclogo man met tas twitter boek

Data Protection Impact Assessment List

Met dank overgenomen van Europese Toezichthouder voor gegevensbescherming (EDPS), gepubliceerd op woensdag 17 juli 2019.

The EDPS has adopted and published its lists of the kinds of processing operations that require a data protection impact assessment (DPIA) under Article 39 of the data protection regulation for the EU institutions, as well as those that at first sight do not require a DPIA.

The EDPS adopted these lists after consulting the European Data Protection Board (EDPB) on the draft lists. These lists provide additional guidance to controllers in the EU institutions and complement the accountability on the ground toolkit. In line with the Article 29 Working Party Guidelines on DPIAs, endorsed by the EDPB, these lists provide criteria for controllers to assess whether they need to do a DPIA; the lists are not exhaustive.

DPIAs are a new concept in the data protection regulation for the EU institutions, mirroring equivalent provisions in the GDPR. The DPIA process aims to provide assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of data protection by design where it is needed the most, i.e. for ‘risky’ processing operations.

Terug naar boven