Polish DPA Posts Guidance on Data Protection Impact Assessments
Poland's data protection authority issued guidance Wednesday to help data controllers decide when to perform a data protection impact assessment (DPIA). It noted that the General Data Protection Regulation doesn't require a DPIA for every processing operation a controller plans to carry out, but an assessment is mandatory if that processing, in particular involving new technologies, is likely to result in a high risk to someone's rights or freedoms.
Sign up for a free preview to unlock the rest of this article
Data controllers should, at the stage of designing a given data processing operation, analyze whether it's subject to the obligation to do a DPIA, the agency said.
The authority listed processing operations that might involve a high risk of rights violations. These include: (1) Evaluation, including profiling and behavioral analysis, for purposes with negative legal, physical, financial or other inconveniences to individuals. (2) Automated decision-making with legal, financial or similar effects. (3) Processing of sensitive personal data concerning convictions. (4) Processing of location data.
If in doubt about whether a DPIA is necessary, the data controller should conduct one, the authority said.