You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contatto
de
|
en
|
it
Cinque nuovi Associate Partner per Rödl & Partner Italia |
In tutto il mondo
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Mondiale
Algeria
Angola
Arabia Saudita
Argentina
Australia
Austria
Azerbaigian
Bahrain
Belgio
Bielorussia
Bosnia ed Erzegovina
Botswana
Brasile
Bulgaria
Cambogia
Canada
Cile
Cina
Cipro
Colombia
Corea del Sud
Costa Rica
Croazia
Danimarca
Ecuador
Egitto
Emirati Arabi Uniti
Estonia
Etiopia
Finlandia
Flippine
Francia
Georgia
Germania
Ghana
Giappone
Grecia
Hong Kong
India
Indonesia
Irlanda
Italia
Kazakistan
Kenya
Kuwait
Lettonia
Libia
Liechtenstein
Lituania
Lussemburgo
Macedonia del Nord
Malesia
Marocco
Mauritius
Messico
Moldavia
Mongolia
Mozambico
Myanmar
Namibia
Nigeria
Norvegia
Nuova Zelanda
Oman
Paesi Bassi
Pakistan
Perù
Polonia
Portogallo
Qatar
Regno Unito
Repubblica Ceca
Romania
Serbia
Singapore
Slovacchia
Slovenia
Spagna
Sudafrica
Svezia
Svizzera
Taiwan
Tanzania
Thailandia
Tunisia
Turchia
Ucraina
Uganda
Ungheria
Uruguay
USA
Uzbekistan
Vietnam
Zambia
I nostri uffici Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(I colori appaiono al passaggio del mouse)
Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra
Cookie Policy
.
Servizi
Servizi legali
Compliance 231
Contenzioso societario e commerciale
Contrattualistica commerciale
Diritto alimentare
Diritto amministrativo
Diritto bancario
Diritto e consulenza del lavoro
Diritto farmaceutico e dei dispositivi medici
Diritto Penale
Diritto societario
Proprietà intellettuale
Servizi fiscali
Consulenza fiscale
Consulenza fiscale internazionale
Contenzioso fiscale
Transfer pricing
VAT & Indirect Taxes
Servizi interdisciplinari
Data Protection, Cyber Security & Innovation
E-commerce & Digital Law
Il percorso di quotazione per le PMI
Internazionalizzazione
M&A
Mobilità internazionale
Ristrutturazione e Procedure Concorsuali
Sostenibilità
Valuation
Whistleblowing
Revisione contabile
BPO & Tax Compliance
Formazione
Industry
Approfondimenti
Professionisti
Media
Rödl E-Book
RÖDL REPLAY - I NOSTRI WEBINAR
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Comunicati stampa
Comunicati operazioni
Rödl E-Book
Rödl & Partner sulla stampa online
Eventi
Su di noi
Currently selected
E-Book INTERNATIONAL VAT GUIDELINES
Uno studio internazionale
Le nostre sedi
Impegno sociale
Whistleblowing
Codice Etico
Modello 231
Sostenibilità
Carriera
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Media
Pubblicazioni
Newsletter
Data Protection Bites
Data Protection Bites 3/2019
Data Protection Impact Assessment (DPIA)
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
Profile
Error 404!
Error 401!
Privacy
Disclaimer
Copyright
Data Protection Impact Assessment (DPIA)
Page Content
The competent supervisory authority in Spain has submitted its draft list to the European Data Protection Board (EDPB) in accordance with article 35 paragraph 4 of the GDPR. On 12th March the EDPB has adopted Opinion 3/2019 which includes the amendments to be done to our final list in order to maintain consistency with other european countries as regards to the processing operations subject to the requirement of a Data Protection Impact Assessment.
A Data Protection Impact Assessment (hereinafter, DPIA) is an important tool that allows the prior assessment and identification of potential data protection risks that could affect the rights and freedoms of natural persons and the adoption of appropriate measures to mitigate them. In other words, a DPIA is the process, which takes the form of a report, which assesses the risks that a particular data processing activity could cause and the impact said risks could have, should they materialize, on the privacy of persons whose data are processes, with the aim of establishing the necessary safeguards in order to mitigate them or, at least, reduce them to the least possible; and all this, prior to carrying out the envisaged processing operation.
Paragraph 1 of article 35 of the General Data Protection Regulation (UE) 2016/679 (hereinafter, GDPR) states: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.
In other words, the GDPR provides for a DPIA to be carried out before initiating a processing activity in those cases where it is likely that a high risk to the rights and freedoms of natural persons, holders of the personal data concerned, exists.
Furthermore, our new Constitutional Act (Ley Orgánica 3/2018) on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD) establishes the general obligation of data controllers and processors for assessing, in the first place, the need to perform a DPIA in the data processing operations they carry out and contains a list of specific cases and risks that must be taken into account when evaluating the need to carry out a DPIA.
Is it mandatory to carry out a DPIA in certain cases?
Although the GDPR leaves wide room for discretion to data controllers and processors when assessing whether or not to carry out a DPIA for a given data processing, paragraph 3 of the aforementioned article 35 does establish the obligation to carry out, in any case, a DPIA in a series of cases:
If the company wants to carry out systematic and extensive evaluation of personal aspects of natural persons, based on an automated processing, such as profiling, and on the basis of which, decisions are based that produce legal effects or that significantly affect the data subjects in a similar way;
If the company carries out processing on a large scale of special categories of data (referred to in article 9 GDPR, e.g. health data), or of personal data relating to criminal convictions and offences (referred to in article 10 GDPR);
When the company is going to carry out a processing based on a large-scale systematic monitoring of a publicly accessible area.
Notwithstanding this, paragraph 4 of article 35 of the GDPR also lays down the obligation for the supervisory authorities of each Member State to make publish a list of data processing operations which will be subject to the requirement of carrying out a DPIA. These lists must be communicated to the European Data Protection Board (EDPB), created by Article 68 of the GDPR.
Although such list has not yet been made publish in Spain, on 12th March the EDPB published Opinion 3/2019 on the draft list submitted by our supervisory authority (Agencia Española de Protección de Datos, hereinafter, AEPD) regarding the processing operations subject to the requirement of a DPIA.
In this Opinion, the EDPB considers that the draft submitted by the AEPD may lead to an inconsistent application of the requirements to carry out a DPIA and urges our supervisory authority to introduce two data processing that have not been taken into consideration and that, by their nature, may effectively pose a high risk to the rights and freedoms of data subjects:
the processing of biometric data for the purpose of uniquely identifying a natural person and
the processing of genetic data; in both cases, in conjunction with at least one other criterion to its list.
On the other hand, the GDPR establishes a minimum content of the report that embodies the DPIA carried out by an entity:
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
an assessment of the need and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Once the DPIA has been carried out, it could happen that a high risk has indeed been identified which the controller cannot mitigate by appropriate measures in terms of available technology and implementation costs. In such a situation, a consultation of the supervisory authority (referred to in article 36 of the GDPR) should take place prior to the processing to either issue the necessary recommendations when carrying out the processing concerned or prohibit it.
Contact
Isabel Garcìa Garcìa
+34 91 5359977
Invia richiesta
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
