The following list some ways that could potentially facilitate carrying out a DPIA.
- In some cases where the processing has a legal basis based in Union or Member State law (i.e., Article 6(1)(c) or (e) GDPR), a DPIA may have already been carried out by the legislator. In this case, unless a Member State deems a DPIA by every controller necessary, or unless the legislation leaves significant margin of implementation to the controller in a way that affects the risks to data subjects, the DPIA does not have to be executed (see Article 35(10) GDPR for detail).
- “There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project” (Recital 90 GDPR). This obviously facilitates the single processing activities that can then refer to the “broad DPIA”. This is further confirmed in Article 35(1) that states: “A single assessment may address a set of similar processing operations that present similar high risks.” The Article 29 Working Party provides additional guidance here stating that “[a] single DPIA could be used to assess multiple processing operations that are similar in terms of nature, scope, context, purpose, and risks.” It further states that “DPIAs aim at systematically studying new situations that could lead to high risks on the rights and freedoms of natural persons, and there is no need to carry out a DPIA in cases (i.e. processing operations performed in a specific context and for a specific purpose) that have already been studied.” In these cases, it is possible to fall back on the “broad DPIA” or at least delegate major portions of an individual DPIA to it. If a “broad DPIA” is unavailable, there may still be individual DPIAs of similar processing activities that help conducting one oneself.
- The Working Party states that “A DPIA can also be useful for assessing the data protection impact of a technology product”. So if a technology provider has already conducted a DPIA, “the data controller deploying the product remains obliged to carry out its own DPIA with regard to the specific implementation, but this can be informed by a DPIA prepared by the product provider”.
- The Working Party points out the possibility that a DPIA is facilitated by the existence of a sector-specific DPIA framework: “The WP29 encourages the development of sector-specific DPIA frameworks. This is because they can draw on specific sectorial knowledge, meaning the DPIA can address the specifics of a particular type of processing operation (e.g.: particular types of data, corporate assets, potential impacts, threats, measures).”
- Another potential way of facilitating a DPIA is to exploit systematic approaches that are used across multiple processing activities. Article 24(2) provides the example of corporate-wide “data protection policies”. Article 24(3) adds “approved certification” (according to Article 42 GDPR) and “approved codes of conduct” (according to Article 40 GDPR). The latter is also specifically mentioned in Article 35(8) GDPR.
1see Bundesgesetz über allgemeine Angelegenheiten gemäß Art. 89 DSGVO und die Forschungsorganisation (Forschungsorganisationsgesetz – FOG)
StF: BGBl. Nr. 341/1981 idF BGBl. Nr. 448/1981 (DFB) (NR: GP XV RV 214 AB 778 S. 81. BR: S. 413.), in German, https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10009514 (last visited 30/01/2020). ↑
2See Appendices 4 through 21. ↑
3wp248rev.01, page 7, Section III. A., 2nd paragraph, highlighting added by authors. ↑
4wp248rev.01, page 8, Section III. A., 2nd paragraph. ↑
5wp248rev.01, page 17, Section III. D.c)., 2nd last paragraph. ↑