The DPIA (data protection impact assessment) is a way to assess the risks of a processing. Every processing operation that entails the processing of personal data involves risks for the data subjects. It is important to consider the risks prior to processing the personal data and to take appropriate measures to minimise them. The DPIA helps you to identify and minimize the data protection risks.
The Dutch Data Protection Authority has published a list of processing operations for which a DPIA is required. A DPIA is required in the event of:
For more information, please refer to the resolution that includes the list (unfortunately, this is only available in Dutch).
When the processing operation does not entail one of the above mentioned operations, you might still need to do a DPIA. The 'Pre-DPIA' offers a shortened risk inventory, which indicates whether it is necessary to perform a full DPIA.
After the Pre-DPIA you have a risk assessment of your processing. If you answered two or more of the DPIA's questions with ‘yes’, the risk is high and you have to perform a DPIA. Please contact your Privacy Contact Person (PCP) for this. Your PCP may also decide that you should still perform a DPIA if you have answered fewer than two questions with ‘yes’, depending on the risk assessment of your processing.
Always limit the risks of processing by technical and / or organizational measures. Consider, for example, secure data storage, physically shielding data (e.g. locked cabinets), authorizations, codes of conduct and confidentiality statements. If there is a high risk and it is not possible to limit this (sufficiently), then not only the performance of the DPIA is mandatory, but the processing must also be reported to the Dutch Data Protection Authority before it starts.
Research / processing title:
Questions answered by (responsible for the processing):
Please enter your e-mail address so that we can send you the completed form.
Does the process/research involve any data about an identifiable person?Personal data includes any information that can be traced directly or indirectly to a natural person, for example a person’s name, identification number, phone number, location data (also digital), assessments, ethnicity, religion, health and biometric data.
In case the answer is ‘yes’, answer all of the following questions.
In case the answer is ‘no’, there is no need for a DPIA, and no need to answer any more questions.
1. Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?This would mean creating a category and placing a person in this category, used to take a decision about this category. An example of profiling is adding a label to a person's file with ‘risky’ based on his financial history, which can be used to deny that person a loan. Another example is a company that follows visitors of its website and uses the data to profile them.Research will most likely not contain profiling.
2. Does the processing involve automated decision making that produces significant (or legal) effect on the data subject?Automated decision making involves any automated decision taken based on personal data (not necessarily a profile) that results in a significant effect for that person like exclusion or discrimination. E.g. a system that judges job applications and automatically decides whether a person is invited for an interview or not. Another example is an automated system which automatically decides whether a person is eligible for a bank loan or not.Automated decisions are not qualified as such if they don't result in any hindrance for the person.
3. Are you performing systematic monitoring of data subjects, including in a publicly accessible area?Systematic monitoring can be seen as routinely. For example, installing an application on a person's phone which sends information to the researcher continuously or routinely. Another example is an IT security system that routinely checks the amount of data an employee uses to detect potential security threats. Also camera surveillance in publicly accessible areas is an example of systematic monitoring.
4. Does the processing involve sensitive personal data? Sensitive personal data is data about race, ethnic origin, political views, religion, membership of a union, genetic data, biometric data with the purpose of identification, health data or data regarding someone's sexual preference. Criminal offence data are also part of sensitive personal data. Aside from these, this question is also about data that are considered sensitive, like data about electronic communications, location or finances.
5. Is the data being processed on a large scale?The GDPR does not define ‘large scale’. The European Data Protection Supervisors advice to use the next criteria to determine if this is the case:- the number of data subjects;- the number of data / the variety of data in the processing;- the duration of the processing;- the geographical scope of the processing.
6. Have datasets been matched or combined?This question asks whether different sets of data are combined to create a more complete set of data. These sets can be, for example, from different systems or collected at different times/locations. The point here is that the data sets contain information about the same person, which is combined into a larger amount of information about that person. The person could not reasonably expect this.
7. Does the data concern vulnerable data subjects?There is no exhaustive list of types of vulnerable subjects. Vulnerable persons are those with whom there is a disbalance in power, or who are less likely to fully comprehend or object to the data processing. The following should, in any case, be thought of as vulnerable subjects: employees (in relation to employer), children, elderly people, mentally ill persons, patients, asylum seekers, etc.
8. Is this an innovative use or does it apply new technological or organizational solutions?New solutions may lead to new ways of data collection or use, possibly with high risks for privacy. Since this question involves applications that are new/innovative, no clear examples can yet be provided. Personal or societal consequences may still be unclear. If the process or research involves something that has not been done before, such as a new usage of data collection (perhaps Internet of Things related or combining use of finger print and facial recognition), a DPIA might be necessary.
9. Will the processing itself prevent data subjects from exercising a right or using a service or a contract? This concerns processing that results in data subjects:- are not able to exercise a right or;- cannot use a service or;- are not able to close a contract.Examples are checking whether a persons is eligible for a loan (similar to the example of automated decisions, but for this question the decision does not need to be automatic).Another example would be the processing of a student's application and determining whether he/she is allowed to enroll at the university.
Did you answer two or more questions with ‘yes’? You have to perform a DPIA. You can ask your Privacy Contact Person (PCP) to help you.Otherwise: there is no need to perform a DPIA, unless your PCP requests you to because of the possible risks of the processing.