The DPIA report addresses the following audiences:
- Persons who will be involved in the processing activities (typically of the controller and, optionally, processors)
- including the Data Protection Officer (DPO),
- the competent supervisory authority, and
- (where possible,) the public.
1. Considering that the DPIA guides decisions by the controller and (optionally) the processor(s), the DPIA report (in various versions and stages of completion) serves as a communication tool for the involved staff. This is of particular importance when considering the possibly interdisciplinary character of the work where for example, one kind of expertise is required to identify the risks and another to find adequate technical mitigation measures. Its role is further important when staff changes and when the processing activity evolves over time.
2. Data Protection Officers (DPOs) have responsibilities that refer directly to the DPIA. In particular, they have the task of providing advice where requested on the DPIA and monitor its performance[1].
3. A supervisory authority who investigates whether a given processing activity is compliant with the GDPR, may ask to receive a DPIA report (where required) as evidence that the obligation of Article 35 was satisfied – and more generally to assess compliance with the GDPR. In fact, a well-written DPIA report contains all the evidence necessary to demonstrate that the processing activity is indeed compliant.
4. Transparency is a key requirement of the GDPR. Accordingly, the Art 29 Working Party recommends considering the publication of at least a redacted version of the DPIA[2].
References
1Article 35(1)(c) GDPR ↑
2wp248rev.01, page 18, Section III.D.d), 2nd paragraph: “Publishing a DPIA is not a legal requirement of the GDPR, it is the controller´s decision to do so. However, controllers should consider publishing at least parts, such as a summary or a conclusion of their DPIA.” ↑