A Privacy Data Assessment (Article 35 of the GDPR Act) is a check performed when the processing of data could result in a high risk to the rights and freedoms of a person. The data controller must conduct this impact assessment and document it before starting the data processing. The law considers the following to be some examples of a high risk of privacy violation:
Automatic decisions which lead to legal consequences for those affected,
Processing of special personal data,
Large-scale data processing,
The merging or combining of data which was gathered by various processes,
Data about incapacitated persons or those with limited ability to act,
Use of newer technologies or biometric procedures,
Data transfer to countries outside the EU/EEC,
Data processing which hinders those involved in exercising their rights.
A PIA should be performed if data to be processed meets two or more of these criteria. If in doubt a PIA should be performed anyway. This assessment should be performed every three years.
To read more, please take a look at this website.