Performing a DPIA is often compulsory in the case of social networks since it involves a systematic monitoring of a publicly accessible area on a large scale (Article 35(3) of the GDPR). Even if this were not the case, some other circumstances could make it compulsory or, at least, highly recommendable (see the ‘Data Protection Impact Assessment’subsection of the Main Actions and Tools section of the General Part of these Guidelines).
|☐ The controller has conducted a DPIA for the processing activity. The controler has ensured that it:
- Has started as early as possible (following the principle of Data Protection by Design).
- Has provided a clear overview of what a DPIA is.
- Has used the guidance and templates provided by the competent Data Protection Supervisory Authority (DPA) where possible. If not (for example, if the DPA does not provide such material or has to cater to many areas of competence of different DPAs), the DPA has followed the guidance provided by the Article 29 Working party in wp248rev.01.
- Has assembled the team necessary to conduct the DPIA.
- Has considered ways of facilitating your work.