A DPIA is a process in which the data controller, before starting a data-processing procedure with high risk to the fundamental rights and freedoms of data subjects, assesses the impact of the envisaged processing operations on the protection of personal data (Article 35(1) of the GDPR). If controllers are dealing with a high risk, then a DPIA should be conducted following Article 35(7) of the GDPR. In the case of geospatial data, the EDPB considered “that a data protection impact assessment (DPIA) must be carried out before implementing such tool as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). The EDPB strongly recommends the publication of DPIAs.”.
It is important to highlight that a DPIA should be performed whenever the controller considers that a concrete processing involves a high risk. Most Data Protection Agencies are imposing DPIAs when processing involves systematic location of the data subjects. Therefore, it might perfectly happen that a developer has to perform several DPIAs during the production process. Indeed, we consider that these assessments should be revisited and updated when possible and especially when the controller is to define the policies regarding data preservation and elimination.
In certain situations, if the result of the DPIA is that the intended processing activity has a high risk of causing harm to the fundamental rights and freedoms of data subjects, the controller should request the opinion of the national supervisory authority, as prescribed by Article 36 GDPR. Some Member States have issued lists that contain examples of data-processing activities that would trigger this mandatory DPIA; among those examples, we can identify situations that match with techniques processing geospatial data. This is especially true if they incorporate AI techniques. Supervisory authorities can require the adoption of certain measures to mitigate the risk, if possible, or forbidding the use of the device or system if it is not possible.
|Checklist: is a DPIA necessary?
The controller determined the jurisdictions where data-processing activities will take place.
The controller checked if those jurisdictions have enacted lists indicating the processing that requires a mandatory DPIA and has seen if the intended data processing is covered by those provisions.
If the controller is unsure of the necessity of carrying out a DPIA, they must consult with the DPO or, in lieu of, the legal department of the controller.
If necessary, the controller carried out a DPIA.
If necessary, the controller filed a prior consultation with the appropriate supervisory authority.
1EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020 ↑
2See, for instance, the position adopted by the Spanish Data Protection Agency in: https://www.aepd.es/sites/default/files/2019-09/listas-dpia-es-35-4.pdf ↑