Article
33 - 1. Where a type of processing in particular using new
technologies, and taking into account the nature, scope, context and
purposes of the processing, is likely to result in a high risk for
the rights and freedoms of individuals, the controller shall, prior
to the processing, carry out an assessment of the impact of the
envisaged processing operations on the protection of personal data. A
single assessment may address a set of similar processing operations
that present similar high risks.
In
such cases, a data protection impact assessment should be carried out
by the controller prior to the processing in order to assess the
particular likelihood and severity of the high risk, taking into
account the nature, scope, context and purposes of the processing and
the sources of the risk, which should include in particular the
envisaged measures, safeguards and mechanisms for mitigating that
risk and for ensuring the protection of personal data and for
demonstrating the compliance with this Regulation.
A
data protection impact assessment should also be made in cases where
data are processed for taking decisions regarding specific
individuals following any systematic and extensive evaluation of
personal aspects relating to natural persons based on profiling those
data or following the processing of special categories of personal
data, biometric data, or data on criminal convictions and offences or
related security measures. A data protection impact assessment is
equally required for monitoring publicly accessible areas on a large
scale, especially when using optic-electronic devices or for any
other operations where the competent supervisory authority considers
that the processing is likely to result in a high risk for the rights
and freedoms of data subjects, in particular because they prevent
data subjects from exercising a right or using a service or a
contract, or because they are carried out systematically on a large
scale.
