Data Protection Impact Assessment List
The EDPS has adopted and published its lists of the kinds of processing operations that require a data protection impact assessment (DPIA) under Article 39 of the data protection regulation for the EU institutions, as well as those that at first sight do not require a DPIA.
The EDPS adopted these lists after consulting the European Data Protection Board (EDPB) on the draft lists. These lists provide additional guidance to controllers in the EU institutions and complement the accountability on the ground toolkit. In line with the Article 29 Working Party Guidelines on DPIAs,
endorsed by the EDPB, these lists provide criteria for controllers to
assess whether they need to do a DPIA; the lists are not exhaustive.
DPIAs are a new concept in the data protection regulation for the EU institutions, mirroring equivalent provisions in the GDPR.
The DPIA process aims to provide assurance that controllers adequately
address privacy and data protection risks of ‘risky’ processing
operations. By providing a structured way of thinking about the risks to
data subjects and how to mitigate them, DPIAs help organisations to
comply with the requirement of data protection by design where it is
needed the most, i.e. for ‘risky’ processing operations.
Post
Nessun commento:
Posta un commento