A Privacy Data Assessment (Article 35 of the GDPR Act) is a check performed when the processing of data could result in a high risk to the rights and freedoms of a person. The data controller must conduct this impact assessment and document it before starting the data processing. The law considers the following to be some examples of a high risk of privacy violation:

  • Scoring/profiling, 

  • Automatic decisions which lead to legal consequences for those affected, 

  • Systematic monitoring, 

  • Processing of special personal data, 

  • Large-scale data processing, 

  • The merging or combining of data which was gathered by various processes, 

  • Data about incapacitated persons or those with limited ability to act, 

  • Use of newer technologies or biometric procedures, 

  • Data transfer to countries outside the EU/EEC,

  • Data processing which hinders those involved in exercising their rights. 

A PIA should be performed if data to be processed meets two or more of these criteria. If in doubt a PIA should be performed anyway. This assessment should be performed every three years.

To read more, please take a look at this website.

Did this answer your question?