What are the unintended consequences of GDPR

EU General Data Protection Regulation (GDPR): Data protection impact assessment schedule

Checklist - test steps

1.Check whether the prerequisites for carrying out a mandatory data protection impact assessment are met:

Is a systematic and comprehensive assessment of personal aspects of natural persons (profiling) carried out, which is then to be used as a basis for decisions that have legal effects for natural persons or that could affect them in a similarly significant manner (e.g. on the question of lending)?

Are sensitive data or data on criminal convictions and offenses processed in a comprehensive manner?

Does the data processing involve systematic extensive surveillance of publicly accessible areas (e.g. video surveillance)?

If the processing activity is carried out in the "black list"Of the data protection authority, which means that a data protection impact assessment must be carried out or the data processing is carried out in the"white list"Listed, according to which no data protection impact assessment (mandatory) is to be carried out?

The data protection authority has published a list of processing activities in the form of a regulation that do not have to be subject to a mandatory data protection impact assessment (“white list” regulation).

The data protection authority has also issued a regulation with regard to such processing operations that are subject to a mandatory data protection impact assessment (“black list”).

Will new technology be used in the intended data processing or is there likely to be a high risk to the rights and freedoms of the natural persons concerned due to the type, scope, circumstances and purposes of the data processing?

Test criteria of the former Art 29 group (since May 25, 2018 "European Data Protection Committee") to assess whether data processing is likely to involve a high risk (is of particular importance for the last bullet point): 

If two of the criteria are met, it can be assumed that the data processing is associated with a high risk and a data protection impact assessment must be carried out.
  • Does the processing operation result in a (potential) evaluation or classification of data subjects (e.g. the creation of profiles and forecasts), in particular on the basis of aspects that affect work performance, economic situation, health, personal preferences or interests, reliability or behavior, the whereabouts or relocate the person? Example: user behavior profiles or marketing profiles through website analysis tools.

  • Does the processing operation include automated decision-making with legal effect or a similarly significant effect?

  • Does the processing operation possibly include systematic monitoring, i.e. operations aimed at observing, monitoring or controlling data subjects?

  • Are confidential or highly personal data processed? Examples: "Sensitive data", personal data relating to criminal convictions or offenses; but also personal data that are linked to domestic or private activities (e.g. private electronic communication), affect the exercise of basic rights (e.g. the recording of location data, which enables movement behavior to be tracked and may affect the protection of privacy) or the use of which may have serious consequences in the everyday life of the persons concerned (e.g. bank data that could be misused for payment fraud)

  • Is data processing carried out on a large scale?

    • Number of people affected (either a specific number or as a proportion of the relevant population group)
    • processed data volume or bandwidth of the different processed data elements
    • Duration or permanence of the data processing
    • geographic extent of data processing

  • Does the data processing include a (potential) comparison or merging of data sets? Example: Merging of data sets from different application purposes and this process could not reasonably be expected by the persons concerned.

  • Are data of vulnerable data subjects possibly being processed? Examples: children, people with special protection needs (patients, mentally ill, senior citizens, asylum seekers), employees.

  • Does the processing operation involve an innovative use or application of new technological or organizational solutions? Example: Combination of fingerprint and face recognition for the purpose of improved access control.

  • Can data processing (potentially) prevent the data subjects from exercising a right or using a service or performing a contract? Example: Searching creditworthiness databases to determine whether a loan will be granted.

Tip: Use the electronic advisor to find out whether a data protection impact assessment should be carried out.

2. Collection of the types of personal data to be processed (e.g. names, addresses, contact details, sensitive data) and determination of the legal basis for data processing:

What types of data are processed?

Is there a declaration of consent from the person concerned?

Is the data processing necessary for the fulfillment of a contract or the implementation of pre-contractual measures?

Is the data processing necessary for the fulfillment of a legal obligation, e.g. from labor law?

Is the data processing necessary to protect the vital interests of the data subject or another natural person?

Is the data processing necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority that has been assigned to the person responsible?

Does the person responsible or a third party have a legitimate interest in data processing and do the interests or fundamental freedoms of the data subject not prevail?

Are the bases for the processing of "sensitive" data in place?

3. Are the following data protection principles observed?

  • Transparency: Are the information requirements fulfilled?

  • Purpose limitation principle: is the data processing carried out for specified, clear and legitimate purposes?

  • Principle of minimization and proportionality: Is the data processing appropriate in relation to the achievement of the purpose? Is the data processing limited to what is necessary and is it significant for achieving the purpose (e.g. with regard to the types of data, personal access or the storage period)?

  • How is it ensured that the data is factually correct and as up-to-date as possible?

  • Availability, integrity and confidentiality principle: What data security measures have been taken (for example, what restrictions is there on the disclosure of the data to people inside and outside the departments involved)?

4. Description of the planned processing operations and processing purposes including the pursued legitimate interests (in the case of data processing on the basis of the legal basis of “weighing of interests”) as well as the assessment of the necessity and proportionality of the processing operations

5. What are the possible risks of the intended data processing for the following protection goals?