DPIA represents a form of structurally complex risk assessment whose primary purpose is to complement all elements and methods of protection and minimize potential risks to the security of personal data.
According to Article 54 of the Law on Personal Data Protection, the data controller is obliged to carry out an impact assessment of the intended data processing on the protection of personal data. This assessment is an explicit legal obligation in cases of processing special categories of data using new technologies or any other type of processing that may pose a high risk to individuals whose personal data is processed, such as biometric data or fingerprints, as well as in cases of systematic surveillance of publicly accessible areas, such as the use of smart video surveillance.
What constitutes “high risk”?
The introduction of any new technology entails various risks. Therefore, before initiating data processing with new technical solutions, it is essential to reassess it through a DPIA, which plays a crucial role in the data controller’s legal compliance process. Other “high-risk” processes include those that may result in various consequences adversely affecting the rights and freedoms of individuals, such as becoming victims of attacks, abuse, defamation, or even financial fraud.
Why conduct a DPIA?
If there is concern about harm resulting from certain types of processing or if there is a presumption that the introduction of new technologies will infringe upon individuals’ privacy, Impact Assessment/DPIA becomes a legal obligation for businesses and organizations.
This assessment must include at least a description of all planned processing activities and their purpose, an assessment of the necessity and proportionality of the processing activities, an assessment of the risks to individuals’ rights and freedoms, and a description of the measures to be taken, including technical and organizational measures. When conducting this assessment, the current state should be evaluated, as well as the failure of the data controller, who is the authority in these cases, to perform its duties using existing resources.
Furthermore, the data controller is obligated to inform everyone whose data is processed about all aspects of data processing in a clear, easily accessible, understandable, and simple manner.
By protecting the personal data of their employees, clients, and visitors through impact assessments, organizations become relevant advocates for human rights and transparently strengthen their own brand and business values, thereby gaining credibility and reputation.
If the impact assessment of the processing reveals a high risk, the data controller must seek the opinion of the Commissioner and take necessary measures to mitigate that risk.
Handling and exposing data to high-risk processing activities without conducting an impact assessment on data protection constitute a serious offense, punishable by appropriate laws.
What happens with particularly sensitive data?
Processing revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data for the purpose of identifying individuals, and data concerning health, sexual life, or sexual orientation of individuals is prohibited. However, exceptions to this rule apply in specific cases when processing is necessary.
What rights does the individual whose data is collected and processed have?
The individual whose data is processed has the right to transparency regarding data processing activities, as well as information about the data controller’s identity and contact details, the purpose and legal basis for processing, the interests of the data controller or third party, data recipients, intentions to transfer data outside the country, data retention periods, and the right to access, rectify, and erase data.
The individual also has the right to withdraw consent, lodge a complaint with the Commissioner, know whether providing data is a legal or contractual obligation, and be informed about the existence of automated decision-making, including profiling.
Additionally, the individual has the right to restrict data processing and data portability to another data controller.
Is it necessary to keep a record of data processing?
Businesses and organizations with fewer than 250 employees are not required to keep records of data processing unless such processing may pose a high risk to individuals’ rights and freedoms, if the processing is not occasional and involves special categories of personal data or data relating to criminal convictions, offenses, or security measures.
What happens in case of a personal data breach?
In the event of a personal data breach, it is necessary to notify the Commissioner within 72 hours to take appropriate protective measures. It is also essential to inform the individuals whose data has been breached if there is a significant risk to their rights and freedoms.
If you require professional DPIA drafting and thorough legal compliance, contact us to schedule consultations: