Data Protection Impact Assessment

    Article 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A DPIA is particularly important before processing that involves new technology, profiling, automated decision-making that has legal effects on the individual and if it involves special categories of personal data etc.

    The purpose of a DPIA is to map out the risks related to the processing and implement routines and safeguards to mitigate them. A DPIA is also an important measure to demonstrate accountability, in accordance with the article 5(2) of the GDPR.