Ti	=	Article 35 - Data protection impact assessment
1.sec	=	Where a type of {_processing} in particular using new technologies, and taking into account the nature, scope, context and purposes of the {_processing}, is likely to result in a high risk to the rights and freedoms of {_natural_persons}, the {_controller} shall, prior to the {_processing}, carry out an assessment of the impact of the envisaged {_processing} operations on the protection of {_personal_data}. A single assessment may address a set of similar {_processing} operations that present similar high risks.
2.sec	=	The {_controller} shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
3.0.sec	=	A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
3.1.sec	=	a systematic and extensive evaluation of personal aspects relating to {_natural_persons} which is based on automated {_processing}, including {_profiling}, and on which decisions are based that produce legal effects concerning the {_natural_person} or similarly significantly affect the {_natural_person};
3.2.sec	=	{_processing} on a large scale of special categories of data referred to in Article 9(1), or of {_personal_data} relating to criminal convictions and offences referred to in Article 10; or
3.3.sec	=	a systematic monitoring of a publicly accessible area on a large scale.
3.	=	[G/Z/ol-a/s3]
4.sec	=	The {_supervisory_authority} shall establish and make public a list of the kind of {_processing} operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The {_supervisory_authority} shall communicate those lists to the {_Board} referred to in Article 68.
5.sec	=	The {_supervisory_authority} may also establish and make public a list of the kind of {_processing} operations for which no data protection impact assessment is required. The {_supervisory_authority} shall communicate those lists to the {_Board}.
6.sec	=	Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent {_supervisory_authority} shall apply the consistency mechanism referred to in Article 63 where such lists involve {_processing} activities which are related to the offering of goods or services to {_data_subjects} or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of {_personal_data} within the Union.
7.0.sec	=	The assessment shall contain at least:
7.1.sec	=	a systematic description of the envisaged {_processing} operations and the purposes of the {_processing}, including, where applicable, the legitimate interest pursued by the {_controller};
7.2.sec	=	an assessment of the necessity and proportionality of the {_processing} operations in relation to the purposes;
7.3.sec	=	an assessment of the risks to the rights and freedoms of {_data_subjects} referred to in paragraph 1; and
7.4.sec	=	the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of {_personal_data} and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of {_data_subjects} and other persons concerned.
7.	=	[G/Z/ol-a/s4]
8.sec	=	Compliance with approved codes of conduct referred to in Article 40 by the relevant {_controllers} or {_processors} shall be taken into due account in assessing the impact of the {_processing} operations performed by such {_controllers} or {_processors}, in particular for the purposes of a data protection impact assessment.
9.sec	=	Where appropriate, the {_controller} shall seek the views of {_data_subjects} or their {_representatives} on the intended {_processing}, without prejudice to the protection of commercial or public interests or the security of {_processing} operations.
10.sec	=	Where {_processing} pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the {_controller} is subject, that law regulates the specific {_processing} operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to {_processing} activities.
11.sec	=	Where necessary, the {_controller} shall carry out a review to assess if {_processing} is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by {_processing} operations.
	=	[G/Z/ol/s11]