Article 22
Data protection impact assessment
- If processing is likely to result in a high risk to the data subject's personality or fundamental rights, the controller shall carry out a data protection impact assessment beforehand. If several similar processing procedures are planned, a joint assessment may be carried out.
- The existence of a high risk, in particular when using new technologies, depends on the nature, extent, circumstances and purpose of the processing. A high risk arises in particular:
- a. in the case of the large-scale processing of sensitive personal data;
- b. if public areas are systematically monitored on a large scale.
- The data protection impact assessment shall include a description of the planned processing, an evaluation of the risks to the data subject's personality or fundamental rights and a description of the measures to protect personality and fundamental rights.
- Private controllers are exempt from having to carry out a data protection impact assessment if they are required by law to process the data.
- A private controller may dispense with carrying out a data protection impact assessment if it uses a system, product or service that is certified under Article 13 for the intended use, or if it complies with a code of conduct under Article 11 that satisfies the following requirements:
- a. The code of conduct is based on a data protection impact assessment.
- b. It provides for measures to protect the personality and the data subject's fundamental rights.
- c. It has been submitted to the FDPIC.