ODO24 Logo
ODO24 Logo
ODO24 Logo

DPIA form

Do you monitor employees' working hours? Do you process special categories of personal data? Have you set up whistleblowing channels?

If so, you are likely required to carry out a DPIA. Use our form to assess the related risks.

When your organisation collects, stores or uses personal data, the people whose data you process are exposed to a number of risks. These include, but are not limited to, the theft or inadvertent disclosure of personal data or its use for purposes other than those originally defined. A Data Protection Impact Assessment (DPIA) is a way to systematically and comprehensively analyse your processing operations and identify and minimise data protection risks.

A well-conducted DPIA will provide you with, among other things:

  • compliance with the GDPR and avoidance of penalties;
  • trust of the people whose data you process;
  • minimisation of risks related to personal data breaches;
  • lower operational costs associated with optimising the flow of information within the project and eliminating unnecessary data collection and processing.

The DPIA form we have prepared for you includes all elements required by the EDPB guidelines on data protection impact assessments. This means you do not have to worry about whether you have covered every part of this challenging process.

If you are still unsure how to complete it, don't worry — we are here and happy to help you.

Perform DPIA

1Systematic description of the processing operations
Indicate the name of the process for which you are performing the DPIA.
To carry out a DPIA, knowledge of the processing context (internal and external) within the given operation is required, and therefore the circumstances of processing that are relevant from the data subject's perspective. It will also be necessary to describe the nature, purpose and scope of processing, i.e. the inherent features of the operation (e.g. categories of data, regulatory issues, number of persons/data, defined processing purposes). The controller will therefore need to answer how it processes data, including how data flows in the organisation, and for what purpose/why. The first question in our questionnaire concerns the description of the processing environment – consider what kind of organisation the controller is, as well as the categories of data subjects and the relationship of your organisation with those persons, and what processing has significant features. Consider which regulations govern the processing – whether specific regulations apply (e.g. labour law in HR matters), or whether the operation is to be carried out in a highly regulated environment (e.g. finance or health). If applicable to your organisation, also indicate other norms and standards that affect data processing (e.g. ISO standards, BRCGS, codes of ethics, codes of conduct, certificates under Article 42 GDPR).
The data lifecycle, i.e. the path that personal data will follow in a given operation, means describing how you obtain data, how you use it in the operation or operations, and then what happens when the data is no longer necessary for that operation (e.g. data is deleted from the system, documents are disposed of and destroyed, etc.).
What purposes of processing has the administrator identified and why are the data processed? (in terms of the specificity of the purpose and other elements of the correctly defined purpose - see Question: Are the purposes of processing specific, clear and legally justified (Article 5 (1) (b) GDPR)?)
Consider who is involved in processing within the organisation, e.g. in employment processes it could be HR.
Identify all the processors involved in this process.
Are parties other than the controller's employees and processors also involved? Who else do you share data with? These may be public authorities, joint controllers, companies in a capital group, entities that will be separate controllers when providing a service (e.g. a lawyer). What is the legal basis for disclosure?
Indicate which categories of persons the data concern, e.g. job applicants, employees, whistleblowers, customers, persons acting on behalf of client companies, persons subject to CCTV monitoring, persons applying for credit, website users, mobile app users, library users, etc.
Indicate the categories of personal data by type: name, surname, PESEL, NIP, e-mail address, etc. Pay attention to special categories of data, as well as data that may involve a higher risk of negative consequences, such as highly personal data or data of a particular nature (e.g. gender identity, detailed geolocation information, worldview beliefs, information contained in diaries/journals).
The question concerns in particular the assets used in the processing of personal data, such as devices, equipment, IT systems, technologies, media.
2Assessment of necessity and proportionality
An inherent feature of processing is the purpose of the operation. The controller cannot process personal data without prior identification of the purpose. The controller is defined by the ability to determine the purposes and means of processing. Purposes should be specific, explicit and legally justified, meaning they should be defined precisely enough to assess the processing operation and what falls within its scope, and to assess compliance with the law. Such assessment should be possible for the supervisory authority and for the data subject, to whom the purpose should be communicated clearly (transparently).
As already mentioned, the purpose should be legally justified and therefore compliant with the law, including that processing for the stated purpose should be based on valid legal grounds under Article 6 GDPR. If you process data on the basis of legitimate interest (Article 6(1)(f) GDPR), indicate what that interest consists of, why processing is necessary and how it overrides the interests of the data subject. At this point you may refer to a balance test already carried out. A helpful tool is the Balance test form. In the case of a legal obligation or the performance of a public task, indicate the legal basis from the relevant laws.
How will the personal data processed in a given operation be subject to the principle of data minimisation? e.g. will the system be designed to have forms in which the user can freely enter the data, or will it be directly indicated what the data is and in which cells it should be entered?
Please indicate the planned data retention periods and how you plan to ensure that the data will be deleted or anonymised after the specified period, e.g. by automatically deleting data from the system after the specified date in the system.
How will you ensure that high-quality data is maintained during processing? e.g. through regular data quality reviews, enabling users to update data, documenting data changes.
Administrators should enter into trust agreements with their processors.Check whether the processors you work with operate under contracts and whether those contracts are up to date under Article 28 of the GDPR.
Identify transfers of personal data outside the EEA and the legal bases for those transfers (e.g. adequacy decision, standard contractual clauses, binding corporate rules). Have you already carried out a TIA? Our tool is helpful for conducting a TIA: TIA calculator.
How do you plan to inform data subjects about the processing of their data?Is the information you want to provide in a clear and simple language tailored to the recipient and is the content covered by Article 13 of the GDPR?
Access rights are a very important right for an entity, and the resources used to carry out processing operations or the solutions you evaluate under the DPIA should already take into account the possibility of exercising the right of access to data, including the transmission of a copy of the data, at the design stage.
As mentioned above, the data subject should be able to exercise his or her rights without difficulty, including the right to data rectification.
At this stage we should already know whether our solution allows export of data "in a structured, commonly used, machine-readable format".
Consider how you will ensure that data is deleted. Do the systems used allow deletion of data? Is the deletion effective? Do you anticipate situations where data cannot be deleted (e.g. due to a legal obligation to continue storing it).
According to the definition in Article 4(3) GDPR, "restriction of processing" means marking stored personal data in order to limit their future processing, which in turn under Article 18(2) GDPR means restricting processing to storage only, unless you have the person's consent for other processing activities, need the data to establish, exercise or defend claims, or processing is required by a legal obligation. In practice, consider whether the systems used allow data to be marked as subject to restricted processing.
3Interested parties
If a DPO has been designated, the controller is obliged to consult them on the DPIA. The fact of consultation should be documented within the DPIA (this field serves that purpose). The Article 29 Working Party in its Guidelines on data protection officers (WP 243 rev.01) indicates the following matters that may be subject to consultation: 1) the need to carry out a data protection impact assessment; 2) the method to be applied when carrying out the data protection impact assessment; 3) whether the data protection impact assessment should be carried out internally or outsourced to an external entity; 4) what safeguards (including technical and organisational measures) should be applied to limit any kind of threat to the rights and interests of data subjects; 5) whether the data protection impact assessment was carried out correctly and whether its results (conclusions on whether processing should continue and what safeguards should be applied) are compliant with GDPR.
The controller may, and in "appropriate cases" must, consult the DPIA with data subjects, their representatives or external experts. Their opinion should be documented, and where the controller's conclusions differ from those consulted, the reasons for taking or not taking a decision should be documented. Likewise, the decision not to consult data subjects should be documented, e.g. by citing the need to protect business-critical information or commercial interests.
4Identification of threats
Threats
?
Threat no. 1
Threat no. 2
5Identification of vulnerability
In order to assess a threat, its precise identification is necessary. In the context of a given category of threats, consider what situations or events could cause the risk to materialise for the rights and freedoms of data subjects in the process. Take into account findings made in the systematic description of processing operations and non-conformities identified during the necessity and proportionality analysis. Use the organisation's experience, e.g. events that have already occurred, those identified in a general risk analysis or audits. You may also take external information into account: reports, studies, supervisory authority decisions. Consider the nature, scope, context and purposes of processing (see Recital 76 GDPR), in particular what data will be processed, by what means, what processing activities, and what processing principles apply. An example of a vulnerability may be: failure to inform data subjects, theft of data carriers due to lack of access control, lack of employee awareness, processing of data in third countries, lack of data retention rules.
Indicate the vulnerability that could lead to the materialisation of threat no. 1
In order to assess a threat, its precise identification is necessary. In the context of a given category of threats, consider what situations or events could cause the risk to materialise for the rights and freedoms of data subjects in the process. Take into account findings made in the systematic description of processing operations and non-conformities identified during the necessity and proportionality analysis. Use the organisation's experience, e.g. events that have already occurred, those identified in a general risk analysis or audits. You may also take external information into account: reports, studies, supervisory authority decisions. Consider the nature, scope, context and purposes of processing (see Recital 76 GDPR), in particular what data will be processed, by what means, what processing activities, and what processing principles apply. An example of a vulnerability may be: failure to inform data subjects, theft of data carriers due to lack of access control, lack of employee awareness, processing of data in third countries, lack of data retention rules.
6Identification of effects
What threats to rights and freedoms do you see arising from the identified vulnerabilities? Remember that rights and freedoms should be understood broadly – not only as the right to privacy and data protection, but also other fundamental rights. For example, lack of appropriate safeguards or lack of employee awareness may lead to irreversible loss of data, which in turn may cause frustration, financial damage, and failure to provide information may lead to misunderstanding of why data is processed by a given organisation and, consequently, time lost identifying the controller. Lack of a retention policy may cause annoyance that data is still being processed.
Indicate the impacts on data subjects for threat no. 1
What threats to rights and freedoms do you see arising from the identified vulnerabilities? Remember that rights and freedoms should be understood broadly – not only as the right to privacy and data protection, but also other fundamental rights. For example, lack of appropriate safeguards or lack of employee awareness may lead to irreversible loss of data, which in turn may cause frustration, financial damage, and failure to provide information may lead to misunderstanding of why data is processed by a given organisation and, consequently, time lost identifying the controller. Lack of a retention policy may cause annoyance that data is still being processed.
7Risk assessment

LEGEND

Based on the following legend, estimate the likelihood of a threat:

(1) low probability the materialization of the risk due to the exploitation of the vulnerability of the resources involved in processing operations does not appear to be possible for the sources of risk selected;

(2) average probability the materialization of a risk due to the exploitation of the vulnerability of the resources involved in processing operations is difficult for the sources of risk selected;

(3) high probability the materialization of a risk related to the exploitation of the vulnerability of the resources involved in processing operations appears to be possible for the sources of risk selected;

(4) very high probability the materialization of the risk due to the exploitation of the vulnerability of the resources involved in processing operations seems extremely easy for the sources of risk selected.

Based on the following legend, assess the impact of the threat to the rights and freedoms of data subjects:

(1) low impact data subjects will not be affected or will experience minor inconveniences which they overcome without the slightest problems (time required to re-enter data, impatience, irritation, etc.);

(2) average effects the data subjects may experience significant inconveniences which they will be able to overcome despite certain difficulties (additional costs, denial of business services, fear, misunderstanding, stress, minor physical injury, etc.);

(3) high impact data subjects may face significant consequences which they should be able to overcome but with serious difficulties (financial fraud, listing of unserved customers in banks, property damage, loss of employment, lawsuits, deteriorating health, etc.).

(4) very high impacts data subjects may experience significant or even irreversible consequences which they may not overcome (financial difficulties such as unpaid debts or incapacity to work, long-term psychological or physical injury, death, etc.).

Threat
?
No data
Probability
Select
Impacts
Select
Risk
Low
8Planned response to risk
Select one of the options:
(a) Acceptance - accepting the risk if the threshold of acceptability is not exceeded (i.e. the risk remains lower than high),
(b) Mitigation - minimising the risk through technical or organisational measures (the action indicated is mandatory if the risk acceptance threshold is exceeded),
(c) Transfer - sharing responsibility for risk management with another entity (e.g. outsourcing the implementation of security measures to an external company or outsourcing the processing of personal data to external, more secure servers),
(d) Avoidance - avoiding actions or conditions that give rise to specific risks (e.g. not using a particular resource to process personal data).
Depending on the outcome of the analysis and the choice of risk treatment, specific actions to minimise the risk should be described, i.e. the choice of technical and organisational measures addressing the identified vulnerabilities. In order to assess the effectiveness of the new measures, the risk should be re-examined; if the risk cannot be mitigated and remains high, the institution of prior consultation (Article 36 RODO) should be used or the planned processing should be abandoned.

Indicate how you intend to handle the identified risk

Threat
?
No data
No data
Risk
Low
Low
How to deal with risk
Select risk treatment
Select risk treatment
Recommendations

Disclaimer

In order to obtain a meaningful data protection impact assessment result, all form fields must be completed. Each aspect of compliance and security analysed should be considered on a case-by-case basis, in particular with regard to the obligations set out in Article 35 of the GDPR. This form may at most serve as a supplementary tool and cannot be the sole basis for decision-making by any entity or person using it at their own risk. ODO 24 sp. z o.o. shall not be liable to any entity or person for any direct or indirect consequences of using the form, in particular damages, compensation or reparation obligations, administrative penalties, loss of benefits or other negative consequences.

PIOD Icon

DPIA form

What is a DPIA in the context of RODO?

A DPIA, i.e. a Data Protection Impact Assessment (DPIA), in the context of RODO is a process that must be carried out by the data controller when processing is planned that may entail a high risk to the rights and freedoms of natural persons.

How to conduct a DPIA in accordance with RODO?
  • Description of the planned processing operations – this primarily answers questions about the purpose, scope and duration for which personal data will be processed. If you already maintain a record of processing activities for the process under analysis, you will know the answers to these questions.
  • Assessment of necessity and proportionality – this answers whether the scope of the data processed, the categories of data subjects whose data we process, and the categories of recipients to whom these data are disclosed, are necessary in view of the purposes and legal bases for the processing.
  • Measures planned to demonstrate compliance – we describe these by indicating organisational and technical safeguards, as well as recommendations for eliminating detected non-conformities.
  • Assessment of the risk to the rights and freedoms of data subjects includes an indication of:

- what breach may occur, - what gives rise to the possibility of a threat occurring (what the vulnerabilities are), - what the potential consequences are, - what the severity of the threat is, - what the likelihood of the breach is, - what the level of risk is (this is the result of multiplying severity and likelihood), - what the recommendations are (how to minimise the risk).

If the risk is high and we are unable to minimise it, we must consult the President of the Office for Personal Data Protection (art. 36 RODO). The risk is high if it exceeds an objectively established threshold of acceptability.

  • Measures planned to eliminate the risk – are determined based on the recommendations issued in the previous step. By implementing them we most often eliminate the vulnerabilities that give rise to the possibility of a threat occurring.

Example: It is planned to verify information provided by candidates during job interviews. Candidates invited to interviews will be asked to bring their diplomas and certificates.

  • Documentation – a DPIA includes a record of activities undertaken within the DPIA, as well as audit evidence, e.g. copies of documents confirming the accuracy of findings.
  • Monitoring and review – a DPIA should be carried out whenever there is a possibility of a change in the risk to the rights or freedoms of natural persons. As good practice, data protection impact assessments should be conducted once a year.
When is conducting a DPIA required under RODO?

Conducting a DPIA under RODO is required in certain situations that may involve a high risk to the rights and freedoms of natural persons. Here are some key situations in which a DPIA is required:

  • Systematic and comprehensive assessment of the data subjects: In the case of automated processing of data, including profiling, which is used to evaluate personal factors and has a significant impact on natural persons, such as making automated decisions with legal effects.
  • Large-scale processing of special categories of personal data: For example, processing data concerning health, sexual orientation, religious beliefs, biometric or genetic data.
  • Systematic monitoring (on a large scale) of publicly accessible places: For example, the use of CCTV cameras in public places on a large scale.
  • List by the supervisory authority: The competent supervisory authority may also specify a list of types of processing that require a DPIA in a given Member State.
  • Meeting at least 2 WP248 criteria: The Article 29 Working Party (now EROD) identified 9 criteria (the WP248 criteria) intended to help assess risk. Meeting at least 2 of these criteria will typically entail an obligation to conduct a DPIA.
How often should I carry out a DPIA under RODO?

A DPIA, like a risk analysis, should be carried out regularly; however, there is no specific schedule that determines how often a DPIA must be conducted, as this will depend on changes in processing operations, the nature of the organisation, the types of data it processes, and the sector in which it operates.

In any case, a DPIA should be carried out before commencing processing that may involve a high risk.

What are the consequences of failing to carry out a DPIA under RODO?

Failing to carry out a DPIA where required by RODO will constitute a breach of RODO.

Further consequences arising from a breach of RODO may include, among others: violation of the rights of data subjects; financial penalties; damage to the company's reputation; legal costs associated with administrative and judicial proceedings

Do small companies also have to carry out a DPIA under RODO?

Yes, the requirements of RODO apply to all organisations processing personal data of European Union citizens, regardless of their size. This means that small companies must also carry out a DPIA where required, i.e. if the processing in which they are involved may entail a high risk to the rights and freedoms of natural persons.

What tools can I use to carry out a DPIA under RODO?

Various tools can be used to carry out a DPIA under RODO. The choice of a particular tool will depend on many factors, such as the nature of the organisation, the type of data processed and the risks associated with it.

An example of a tool may be a spreadsheet (e.g. in Excel), but it is also possible to use dedicated DPIA tools that can help in systematically carrying out and documenting this process.

Who should carry out a DPIA under RODO in my organisation?

A DPIA should be carried out by the persons responsible for data protection in your organisation. Here are examples of different people who may be involved in this process:

  • Data Protection Officer (DPO): Pursuant to Art. 35(2) RODO, the controller consults the Data Protection Officer where one has been appointed. The DPO's tasks include providing recommendations regarding the DPIA and monitoring its implementation.
  • Management: Engagement of senior management is often required, especially if the DPIA concerns risks that may affect strategic decisions about data processing.
  • Security and Data Protection Team: Security and data protection specialists have the necessary knowledge and skills to assist with the DPIA.
  • Lawyers/Legal Team: Legal experts can provide the necessary knowledge on lawfulness and regulatory requirements.
  • Suppliers and Subcontractors: If data processing is outsourced to external providers, they may also be involved in the DPIA process to ensure a full understanding of the risks and security measures.

Companies may decide to obtain external support, such as RODO outsourcing, to help conduct the risk analysis, particularly if they do not have the appropriate resources or specialised technical expertise.

How can I assess the effectiveness of a DPIA carried out under RODO?

The effectiveness of a DPIA can be verified through a number of activities:

  • Compliance with guidelines and assessment frameworks: Ensure that the DPIA has been conducted in accordance with the guidelines and frameworks set by the supervisory authority and that industry standards were applied where possible.
  • Assessment of remedial measures: Check whether the recommended remedial measures have been implemented and whether they are effective in reducing the identified risks. This can be done by conducting regular audits and tests.
  • Consultation with staff: It is worthwhile to consult with staff, including the Data Protection Officer (DPO), the legal team, the IT department and other key departments, to understand their perspective on the effectiveness of the DPIA.
  • Analysis of complaints and reports: Monitor any complaints and reports from data subjects to understand whether there are any issues related to data processing that could indicate inadequate DPIA effectiveness.
  • Regular updating: The regulatory and technological environment changes, so regular updating of the DPIA can help maintain its effectiveness.
  • Documentation: It is necessary to maintain complete and detailed DPIA documentation, including identified risks, remedial measures, consultations and decisions. These documents will serve as evidence of compliance in the event of an inspection by the supervisory authority.
  • Audits: Conducting regular internal and external audits can provide an independent assessment of the DPIA's effectiveness.

Assessing the effectiveness of a DPIA should be a continuous process, not a one-off action. Regular reviews and updates are key to maintaining an effective process.

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
DPIA form – data protection impact assessment | ODO 24