Textseite
Risk analyses
Abschlussbedingungen
Risk analyses and data protection impact assessment (DPIA)
The need for protection of personal data depends on how extensive or critical the processed data is. You should therefore analyse each processing operation:
- Type and scope of processing
- Group of data subjects
- Likelihood of occurrence and severity of the risks to the rights and freedoms of data subjects
If you process particularly extensive and/or particularly critical data, the protective measures must be correspondingly high. As you remember, critical data is primarily what is known as "Article 9 data". Article 9 GDPR describes "special categories of personal data":
Art. 9 GDPR Processing of special categories of personal data
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited..
- […]
(Rectical 38).
Risk analysis
If it is not clear at first glance how high the risk of data processing is, the controller must carry out a more comprehensive investigation, e.g. in the form of a risk analysis. Together with their team, they critically scrutinise the processing of personal data, implement appropriate and suitable protective measures and, in case of doubt, carry out a risk assessment. You can find a template for this in the "Tools and Tools" course.
Data protection impact assessment (DPIA)
A data protection impact assessment (DPIA) must be carried out at the latest when the processing is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes of the processing. A data protection impact assessment evaluates the necessity and proportionality of a planned processing operation and defines clear security measures and procedures to protect personal data.
However, this measure is only necessary for really extensive and critical data processing. If you are interested in what a data protection impact assessment looks like, a group of interested parties has created a DPIA for the Corona App in 2020, which is publicly available: https://www.researchgate.net/publication/341097723_Data_Protection_Impact_Assessment_for_the_Corona_App.
Source: Mohamed Hassan on Pixabay
GDPRism ist ein Projekt der Organisationen Medienkompetenz Team e.V. und Educommart und wurde kofinanziert durch das ERASMUS+ Programm der Europäischen Union.
Von der Europäischen Union finanziert. Die geäußerten Ansichten und Meinungen entsprechen jedoch ausschließlich denen des Autors bzw. der Autoren und spiegeln nicht zwingend die der Europäischen Union oder der Europäischen Exekutivagentur für Bildung und Kultur (EACEA) wider. Weder die Europäische Union noch die EACEA können dafür verantwortlich gemacht werden
