ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Risk

DPIA obligation — type of processing: processing on a large scale?

ANSWER

When it comes to a DPIA, i.e. a data protection impact assessment, it must be carried out when a given type of processing — in particular using new technologies — by virtue of its nature, scope, context and purposes is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 GDPR). In the case of employee monitoring, the need to carry out a DPIA arises primarily from the fact that employees are data subjects requiring special protection and from their systematic monitoring. Two of the nine factors increasing the likelihood of breaches are therefore met, which in principle, according to the Article 29 Working Party guidelines, indicates the need to carry out a DPIA. Within the data protection impact assessment, the controller has an opportunity to identify gaps and risks related to data processing for the process under analysis.

Helpful materials in this regard include, for example: /wiedza/blog/ocena-skutkow-dla-ochrony-danych-dpia-bezplatny-formularz

Show all
PreviousNext

Read also:

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

12 March 2026

Jak wdrożyć KSC / NIS2 – zarządzanie ryzykiem

03 March 2026

Jak wdrożyć KSC / NIS2 – zarządzanie incydentami

RODO Migawki

Bezpłatny e-learning dla pracowników

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
DPIA for large-scale processing — when is it required? | ODO 24 | ODO 24