Ti | = | Article 35 - Data protection impact assessment |
1.sec | = | Where a type of {_processing} in particular using new technologies, and taking into account the nature, scope, context and purposes of the {_processing}, is likely to result in a high risk to the rights and freedoms of {_natural_persons}, the {_controller} shall, prior to the {_processing}, carry out an assessment of the impact of the envisaged {_processing} operations on the protection of {_personal_data}. A single assessment may address a set of similar {_processing} operations that present similar high risks. |
2.sec | = | The {_controller} shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. |
3.0.sec | = | A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: |
3.1.sec | = | a systematic and extensive evaluation of personal aspects relating to {_natural_persons} which is based on automated {_processing}, including {_profiling}, and on which decisions are based that produce legal effects concerning the {_natural_person} or similarly significantly affect the {_natural_person}; |
3.2.sec | = | {_processing} on a large scale of special categories of data referred to in Article 9(1), or of {_personal_data} relating to criminal convictions and offences referred to in Article 10; or |
3.3.sec | = | a systematic monitoring of a publicly accessible area on a large scale. |
3. | = | [G/Z/ol-a/s3] |
4.sec | = | The {_supervisory_authority} shall establish and make public a list of the kind of {_processing} operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The {_supervisory_authority} shall communicate those lists to the {_Board} referred to in Article 68. |
5.sec | = | The {_supervisory_authority} may also establish and make public a list of the kind of {_processing} operations for which no data protection impact assessment is required. The {_supervisory_authority} shall communicate those lists to the {_Board}. |
6.sec | = | Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent {_supervisory_authority} shall apply the consistency mechanism referred to in Article 63 where such lists involve {_processing} activities which are related to the offering of goods or services to {_data_subjects} or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of {_personal_data} within the Union. |
7.0.sec | = | The assessment shall contain at least: |
7.1.sec | = | a systematic description of the envisaged {_processing} operations and the purposes of the {_processing}, including, where applicable, the legitimate interest pursued by the {_controller}; |
7.2.sec | = | an assessment of the necessity and proportionality of the {_processing} operations in relation to the purposes; |
7.3.sec | = | an assessment of the risks to the rights and freedoms of {_data_subjects} referred to in paragraph 1; and |
7.4.sec | = | the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of {_personal_data} and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of {_data_subjects} and other persons concerned. |
7. | = | [G/Z/ol-a/s4] |
8.sec | = | Compliance with approved codes of conduct referred to in Article 40 by the relevant {_controllers} or {_processors} shall be taken into due account in assessing the impact of the {_processing} operations performed by such {_controllers} or {_processors}, in particular for the purposes of a data protection impact assessment. |
9.sec | = | Where appropriate, the {_controller} shall seek the views of {_data_subjects} or their {_representatives} on the intended {_processing}, without prejudice to the protection of commercial or public interests or the security of {_processing} operations. |
10.sec | = | Where {_processing} pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the {_controller} is subject, that law regulates the specific {_processing} operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to {_processing} activities. |
11.sec | = | Where necessary, the {_controller} shall carry out a review to assess if {_processing} is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by {_processing} operations. |
= | [G/Z/ol/s11] | |