Article 35 GDPR
Assessment of data protection effects

1. If a particular type of processing - in particular using new technologies - is, by its nature, scope, context and purposes, likely to involve a high risk of infringement of the rights or freedoms of individuals, the controller shall assess the effects of the planned processing operations on the protection of personal data before the processing begins. A single assessment may be carried out for similar processing operations involving a similar high risk.

2. When conducting a data protection impact assessment, the controller shall consult with the data protection officer, if one has been appointed.

3. The data protection impact assessment referred to in paragraph 1 is required in particular in the case of:

(a) a systematic, comprehensive assessment of personal factors relating to natural persons, which is based on automated processing, including profiling, and is the basis for decisions having legal effects against the natural person or similarly significant effects on the natural person;

(b)

*

large-scale processing of special categories of personal data referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10; or

(c) systematic large-scale monitoring of publicly available sites.

4. The supervisory authority shall establish and make public a list of the types of processing operations subject to the requirement to carry out a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall transmit these lists to the European Data Protection Board referred to in Article 68.

5. The supervisory authority may also establish and make public a list of types of processing operations that are not subject to a data protection impact assessment. The supervisory authority shall communicate these lists to the European Data Protection Board.

6. If the lists referred to in paragraphs 4 and 5 include processing operations related to the offering of goods or services to data subjects or to the monitoring of their behavior in several Member States, or which are likely to significantly affect the free flow of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 prior to the adoption of such lists.

7. At a minimum, the assessment includes:

(a) a systematic description of the planned processing operations and processing purposes, including where applicable the legitimate interests pursued by the controller;

(b) an assessment of whether the processing operations are necessary and proportionate to the objectives;

(c) an assessment of the risk of infringement of the rights or freedoms of data subjects referred to in paragraph 1; and

(d) measures planned to address the risk, including safeguards and security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.

8. When assessing—in particular for the purposes of a data protection impact assessment—the effects of processing operations carried out by a controller or processor, account shall be taken of the controller’s or processor’s adherence to the approved codes of conduct referred to in Article 40.

9. Where appropriate, the controller shall consult data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

10. Paragraphs 1–7 shall not apply if the processing pursuant to Article 6(1)(c) or (e) has a legal basis in Union law or in the law of the Member State to which the controller is subject, and such law governs the processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a regulatory impact assessment in connection with the adoption of that legal basis—unless Member States deem it necessary to carry out a data protection impact assessment prior to the processing activities.

11. If necessary, at least when the risks arising from the processing operation change, the controller shall review to determine whether the processing is carried out in accordance with the data protection impact assessment.