A Privacy Data Assessment (Article 35 of the GDPR Act) is a check performed when the processing of data could result in a high risk to the rights and freedoms of a person. The data controller must conduct this impact assessment and document it before starting the data processing. The law considers the following to be some examples of a high risk of privacy violation:

  • Scoring/profiling, 
  • Automatic decisions which lead to legal consequences for those affected, 
  • Systematic monitoring, 
  • Processing of special personal data, 
  • Large-scale data processing, 
  • The merging or combining of data which was gathered by various processes, 
  • Data about incapacitated persons or those with limited ability to act, 
  • Use of newer technologies or biometric procedures, 
  • Data transfer to countries outside the EU/EEC,
  • Data processing which hinders those involved in exercising their rights. 

A PIA should be performed if data to be processed meets two or more of these criteria. If in doubt a PIA should be performed anyway. This assessment should be performed every three years.

To read more, please take a look at this website.

Did this answer your question?