Polish DPA Posts Guidance on Data Protection Impact Assessments
Poland's data protection authority issued guidance Wednesday to help data controllers decide when to perform a data protection impact assessment (DPIA). It noted that the General Data Protection Regulation doesn't require a DPIA for every processing operation a controller plans to carry out, but an assessment is mandatory if that processing, in particular involving new technologies, is likely to result in a high risk to someone's rights or freedoms.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Data controllers should, at the stage of designing a given data processing operation, analyze whether it's subject to the obligation to do a DPIA, the agency said.
The authority listed processing operations that might involve a high risk of rights violations. These include: (1) Evaluation, including profiling and behavioral analysis, for purposes with negative legal, physical, financial or other inconveniences to individuals. (2) Automated decision-making with legal, financial or similar effects. (3) Processing of sensitive personal data concerning convictions. (4) Processing of location data.
If in doubt about whether a DPIA is necessary, the data controller should conduct one, the authority said.