Pre-DPIA form

The DPIA (Data Protection Impact Assessment) is a way to assess the risks of a processing operation. Every processing operation that entails the processing of personal data involves risks for the data subjects. It is important to consider the risks prior to processing the personal data and to take appropriate measures to minimise those risks. The DPIA helps you to identify and minimise the data protection risks.

The 'Pre-DPIA' below offers a shortened risk inventory, which indicates whether it is necessary to perform a full DPIA. See for more information the Methodology DPIA of the University of Twente.

After the Pre-DPIA you will have a risk assessment of your processing operation. In the event the answer to one of the questions 1a-1q is 'yes' or two or more answers to the questions 2-10 is 'yes', you must perform a DPIA. Please contact your Privacy Contact Person (PCP) for assistance. In other events it is not necessary to perform a DPIA, unless your PCP decides that the involved risk still requires you to perform a DPIA. 

Pre-DPIA form

Research / processing title:

Questions answered by (responsible for the processing):

Please enter your e-mail address so that we can send you the completed form. A copy of the form will be sent to the data protection officer.

Does the process/research involve any data about an identifiable person?
Personal data includes any information that can be traced directly or indirectly to a natural person, for example a person’s name, identification number, phone number, e-mail address, location data (also digital), assessments, ethnicity, religion, health and biometric data.

Answer the following questions.

A DPIA is not required.

1a. Does the processing operation entail covert investigation?

Large-scale processing of personal data and/or systematic monitoring where information is collected through investigations without prior notification to the data subject (for example: covert investigations by private detective agencies, investigations in the context of anti-fraud investigations and investigations on the internet in the context of e.g. online copyright enforcement). A DPIA is also mandatory in the event of covert camera surveillance by employers in the context of theft or fraud prevention by employees (with the latter processing, a DPIA must also be performed in incidental cases due to the unequal power relationship between the data subject (employee) and the controller). (employer)).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1b. Does the processing operation entail blacklists?

Processing operations where personal data relating to criminal convictions and offences, data about unlawful or disruptive behavior or data about bad payment behavior by companies or private individuals are processed and shared with third parties (art. 33 paragraph 4, preamble and under c, of the GDPR Execution Act) (black lists or warning lists, such as those used, for example, by insurers, catering companies, retail companies, telecom providers as well as black lists relating to illegal behavior of employees, for example in healthcare or by employment agencies).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1c. Does the processing operation entail fraud prevention?

Large-scale processing of (special categories of) personal data and/or systematic monitoring in the context of fraud prevention (for example, combating fraud by social services or by fraud departments of insurers).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1d. Does the processing operation entail credit scores?

Large-scale data processing and/or systematic monitoring leading to or using estimates of the creditworthiness of natural persons, expressed for example in a credit score.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1e. Does the processing operation entail data concerning someone's financial situation?

Large-scale processing and/or systematic monitoring of financial data from which people's income or capital position or spending pattern can be derived (for example statements of bank transfers, statements of the balances of someone's bank accounts or statements of mobile or debit card payments).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1f. Does the processing operation entail genetic personal data?

Large-scale processing and/or systematic monitoring of genetic personal data (e.g. DNA analyzes for mapping personal characteristics, bio databases).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1g. Does the processing operation entail health data?

Large-scale processing of health data (for example by institutions or facilities for healthcare or social services, occupational health and safety services, reintegration companies, (special) education institutions, insurers, and research institutes), including large-scale electronic exchange of health data (please note: individual doctors and individual healthcare professionals are exempted from the obligation to conduct a DPIA pursuant to Recital 91 of the GDPR).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1h. Is the processing operation related to cooperations/partnerships?

Sharing personal data in or through partnerships in which municipalities or other authorities with other public or private parties share special personal data or personal data of a sensitive nature (such as data about health, addiction, poverty, problematic debts, unemployment, social problems, criminal law data, involvement of youth care or social work) with each other, for example in neighborhood teams, safety houses or information exchanges.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1i. Does the processing operation entail camera surveillance?

Large-scale and/or systematic monitoring of publicly accessible areas using cameras, webcams or drones.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1j. Does the processing operation entail flexible camera surveillance?

Large-scale and/or systematic use of flexible camera surveillance (cameras on clothing or helmets of fire or ambulance personnel, dashcams used by emergency services).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1k. Does the processing operation entail monitoring of employees?

Large-scale processing of personal data and/or systematic monitoring of employees' activities (for example checking e-mail and internet use, GPS systems in employees' trucks or vehicles or camera surveillance for the purpose of combating theft and fraud).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1l. Does the processing operation entail location data?

Large-scale processing and/or systematic monitoring of location data of or traceable to natural persons (for example by (scan) cars, navigation systems, telephones, or processing of location data of travelers in public transport).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1m. Does the processing operation entail communication data?

Large-scale processing and/or systematic monitoring of communication data, including metadata, that can be traced back to natural persons, unless and insofar as this is necessary to protect the integrity and security of the network and the service of the relevant provider, or the end user's peripheral device.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1n. Does the processing operation entail 'internet of things' applications?

Large-scale processing and/or systematic monitoring of personal data generated by internet-connected devices that can send or exchange data via the internet or otherwise ('internet of things' applications, such as smart televisions, smart household appliances, connected toys, smart cities, smart energy meters, medical devices, etc.).

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1o. Does the processing operation entail profiling?

Systematic and comprehensive assessment of personal aspects of natural persons based on automated processing (profiling), such as, for example, assessment of professional performance, student achievement, economic situation, health, personal preferences or interests, reliability or behaviour.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1p. Does the processing operation entail observation and influencing of behaviour?

Large-scale processing of personal data where the behaviour of natural persons is systematically observed or influenced via automated processing, or data about the behaviour of natural persons is collected and/or recorded, including data collected for the purpose of online behavioural advertising.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

1q. Does the processing operation entail biometric data?

Large-scale processing and/or systematic monitoring of biometric data with the purpose of identifying a natural person. Under the GDPR, the processing of biometric data for the purpose of uniquely identifying a natural person is, in principle, prohibited. In the Netherlands, additional conditions have been set in art. 29 of the GDPR Execution Act. Only if the processing is strictly necessary for authentication or security purposes, the processing of biometric data is allowed.

A DPIA IS REQUIRED!

Please contact your PCP and/or the DPO. 

2. Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
This would mean creating a category and placing a person in this category, used to take a decision about this category. An example of profiling is adding a label to a person's file with ‘risky’ based on his financial history, which can be used to deny that person a loan. Another example is a company that follows visitors of its website and uses the data to profile them.
Research will most likely not contain profiling.

3. Does the processing involve automated decision making that produces significant (or legal) effect on the data subject?
Automated decision making involves any automated decision taken based on personal data (not necessarily a profile) that results in a significant effect for that person like exclusion or discrimination. E.g. a system that judges job applications and automatically decides whether a person is invited for an interview or not. Another example is an automated system which automatically decides whether a person is eligible for a bank loan or not.
Automated decisions are not qualified as such if they don't result in any hindrance for the person.

4. Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
Systematic monitoring can be seen as routinely. For example, installing an application on a person's phone which sends information to the researcher continuously or routinely. Another example is an IT security system that routinely checks the amount of data an employee uses to detect potential security threats. Also camera surveillance in publicly accessible areas is an example of systematic monitoring.

5. Does the processing involve special categories of personal data?
Special categoeries of personal data are personal data about race, ethnic origin, political views, religion, membership of a union, genetic data, biometric data with the purpose of identification, health data or data regarding someone's sexual preference. Criminal offence data are also part of sensitive personal data. Aside from these, this question is also about data that are considered sensitive, like data about electronic communications, location or finances.

6. Is the data being processed on a large scale?
The GDPR does not define ‘large scale’. The European Data Protection Supervisors advice to use the next criteria to determine if this is the case:
- the number of data subjects;
- the number of data / the variety of data in the processing;
- the duration of the processing;
- the geographical scope of the processing.

7. Have datasets been matched or combined?
This question asks whether different sets of data are combined to create a more complete set of data. These sets can be, for example, from different systems or collected at different times/locations. The point here is that the data sets contain information about the same person, which is combined into a larger amount of information about that person. The person could not reasonably expect this.

8. Does the data concern vulnerable data subjects?
There is no exhaustive list of types of vulnerable subjects. Vulnerable persons are those with whom there is a disbalance in power, or who are less likely to fully comprehend or object to the data processing.
The following should, in any case, be thought of as vulnerable subjects: employees (in relation to employer), children, elderly people, mentally ill persons, patients, asylum seekers, etc.

9. Is this an innovative use or does it apply new technological or organizational solutions?
New solutions may lead to new ways of data collection or use, possibly with high risks for privacy. Since this question involves applications that are new/innovative, no clear examples can yet be provided. Personal or societal consequences may still be unclear. If the process or research involves something that has not been done before, such as a new usage of data collection (perhaps Internet of Things related or combining use of finger print and facial recognition), a DPIA might be necessary.

10. Will the processing itself prevent data subjects from exercising a right or using a service or a contract?
This concerns processing that results in data subjects:
- are not able to exercise a right or;
- cannot use a service or;
- are not able to close a contract.
Examples are checking whether a persons is eligible for a loan (similar to the example of automated decisions, but for this question the decision does not need to be automatic).
Another example would be the processing of a student's application and determining whether he/she is allowed to enroll at the university.

Conclusion

Have you answered one of the questions 1a - 1q with 'yes'? Or did you answer two or more of questions 2-10 with 'yes'? Then you have to perform a DPIA. Your Privacy Contact Person (PCP) can assist you. In other cases, you do not need to perform a DPIA, unless your PCP decides that this is necessary based on the expected risk.