Another novelty ushered in by the Regulation is the
controller’s obligation to carry out an impact
assessment. Imposition of the assessment, as made
one of the principal obligations of the controller in
the circumstances identified under the Regulation,
seeks to improve the awareness of risks attendant
upon the processing of personal data. As it
happens, a personal data breach may cause much
more damage than the cost of compensation alone.
In practice, an assessment of the impact upon
personal data processing should precede processing
of such data by the controller. If the relevant type
of processing, in particular using new technologies,
is highly likely, taking into account its nature,
scope, context, and purposes, to result in a high
risk of infringing the rights or freedoms of natural
persons, an impact assessment is mandatory.
Pursuant to the Regulation, when carrying out the
assessment, the controller seeks the advice of the
data protection officer, where designated. A data
protection impact assessment is in particular
required in the case of:
a) a systematic and extensive evaluation of
personal aspects relating to natural persons which
is based on automated processing, including
profiling, and on which decisions are based that
produce legal effects concerning the natural person
or similarly significantly affect the natural person;
b) processing on a large scale of special categories
of personal data or of personal data relating to
criminal convictions and offences; or
c) a systematic monitoring of publicly accessible
areas on a large scale.
The supervisory authority establishes and makes
public a list of the types of processing operations
which are subject to the requirement for a data
protection impact assessment and communicates
the list to the European Data Protection Board.
A data protection impact assessment should contain
at least:
– a description of the envisaged processing
operations and the purposes of the processing;
– an assessment of the necessity and proportionality
of the processing operations in relation to the
purposes;
– an assessment of the risks to the rights and
freedoms of the data subjects;
– the measures envisaged to address the risks,
including safeguards, security measures and
mechanisms to ensure the protection of personal
data and to demonstrate compliance with the
Regulation.
If a data protection impact assessment indicates
that the processing would result in a high risk in the
absence of measures taken by the controller to
mitigate it, then pursuant to the Regulation, the
controller must consult the supervisory authority
prior to processing. Where the supervisory authority
is of the opinion that the intended processing would
infringe the Regulation, in particular where the
controller has insufficiently identified or mitigated
the risk, the supervisory authority provides written
advice to the controller and may use any of its
powers conferred by the Regulation. In principle,
the consultations last eight weeks. That period may
be extended or suspended until the supervisory
authority has obtained information it has requested
for the purposes of the consultation.
MILLER, CANFIELD,
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any
decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases.
The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other legal
development to the particular facts can be verified.