Data protection impact assessment

Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.

The DPIA is an instrument used by data controllers to record, evaluate and deal with data protection risks. The rules on DPIAs in the totally revised Federal Data Protection Act reflect the risk-based approach taken in the new data protection law, which also means that the requirement to carry out a DPIA only applies if there is a potentially high risk.

The DPIA provides a description of the data processing that is planned, evaluates the risks to the personality or fundamental rights of the data subjects and indicates the measures required to protect those rights. Where a data processing operation is already ongoing, the data controller has to check the position and indicate in the DPIA the main differences between the existing operation and the data processing that is planned. 

A high risk may arise from the nature, scope, circumstances and purpose of the processing, in particular when using new technologies. The law mentions, for example, the large-scale processing of sensitive personal data and the systematic, large-scale surveillance of public areas (see Art. 22 FADP). When assessing and dealing with risks, it is important to distinguish between those that can be influenced by risk-reducing measures and those that cannot or are unlikely to be influenced by measures. 

If the DPIA shows that the planned data processing poses a high residual risk to the personality or fundamental rights of the data subjects despite the measures envisaged by the controller, an opinion must be obtained from the FDPIC. An exception applies to private controllers if they have consulted their data protection officer. 

Note: The FDPIC is currently developing more detailed guidance on the requirements and content of the DPIA, which it will make available here this summer.