A Privacy Data Assessment (Article 35 of the GDPR Act) is a check performed when the processing of data could result in a high risk to the rights and freedoms of a person. The data controller must conduct this impact assessment and document it before starting the data processing. The law considers the following to be some examples of a high risk of privacy violation:
- Automatic decisions which lead to legal consequences for those affected,
- Systematic monitoring,
- Processing of special personal data,
- Large-scale data processing,
- The merging or combining of data which was gathered by various processes,
- Data about incapacitated persons or those with limited ability to act,
- Use of newer technologies or biometric procedures,
- Data transfer to countries outside the EU/EEC,
- Data processing which hinders those involved in exercising their rights.
A PIA should be performed if data to be processed meets two or more of these criteria. If in doubt a PIA should be performed anyway. This assessment should be performed every three years.
To read more, please take a look at this website.