Le nom complet est : “lignes directrices concernant l’analyse d’impact relative à la protection des données (AIPD) et la manière de déterminer si le traitement est «susceptible d’engendrer un risque élevé» aux fins du règlement (UE) 2016/679”.
Table of content
I. INTRODUCTION
II. SCOPE OF THE GUIDELINES
III. DPIA: THE REGULATION EXPLAINED
A. WHAT DOES A DPIA ADDRESS? A SINGLE PROCESSING OPERATION OR A SET OF SIMILAR PROCESSING OPERATIONS
B. WHICH PROCESSING OPERATIONS ARE SUBJECT TO A DPIA? APART FROM EXCEPTIONS, WHERE THEY ARE “LIKELY TO RESULT IN A HIGH RISK”
a) When is a DPIA mandatory? When processing is “likely to result in a high risk”
b) When isn’t a DPIA required? When the processing is not “likely to result in a high risk”, or a similar DPIA exists, or it has been authorized prior to May 2018, or it has a legal basis, or it is in the list of processing operations for which a DPIA is not required
C. WHAT ABOUT ALREADY EXISTING PROCESSING OPERATIONS? DPIAS ARE REQUIRED IN SOME CIRCUMSTANCES
D. HOW TO CARRY OUT A DPIA?
a) At what moment should a DPIA be carried out? Prior to the processing
b) Who is obliged to carry out the DPIA? The controller, with the DPO and processors
c) What is the methodology to carry out a DPIA? Different methodologies but common criteria
d) Is there an obligation to publish the DPIA? No, but publishing a summary could foster trust, and the full DPIA must be communicated to the supervisory authority in case of prior consultation or if requested by the DPA
E. WHEN SHALL THE SUPERVISORY AUTHORITY BE CONSULTED? WHEN THE RESIDUAL RISKS ARE HIGH
IV. CONCLUSIONS AND RECOMMENDATIONS
ANNEX 1 – EXAMPLES OF EXISTING EU DPIA FRAMEWORKS
ANNEX 2 – CRITERIA FOR AN ACCEPTABLE DPIA
