Mandatory
A DPIA is only mandatory if a data processing operation is likely to present a high risk to the data subjects. This is always the case when an organization:
- systematically and comprehensively evaluates personal aspects (including profiling);
- processes special personal data on a large scale;
- follows people on a large scale and systematically in a publicly accessible area (e.g. camera surveillance).
The risk of data processing
The European Data Protection Board (EDPB) has developed guidelines to assess the risks of data processing. From this it can be concluded whether a DPIA is mandatory. Nine criteria have been drawn up for this assessment. If two of these criteria are met, it can be concluded that a DPIA must be performed. These criteria are as follows: in case of evaluation of scores (1); automated decision making with a legal or comparable significant effect (2); systematic monitoring (3); sensitive personal data or information (4); processing of personal data on a large scale (5); sets of data that are linked and combined (6); data of vulnerable data subjects (7); innovative use of the personal data or the application of technological or organisational solutions to the personal data (8); the processing prevents the data subject from exercising a right or using a service or a contract (9).
Necessity and proportionality of data processing
If legislation requires an organisation to carry out a DPIA, the processor will have to verify the necessity and proportionality of the processing of personal data and identify the possible risks of such processing. At the same time, the security measures that will be taken in order to minimize the risks must also be laid down in the DPIA.