{"id":14494,"date":"2023-09-08T07:00:12","date_gmt":"2023-09-08T07:00:12","guid":{"rendered":"https:\/\/letslaw.es\/?p=14494"},"modified":"2023-09-05T13:49:56","modified_gmt":"2023-09-05T13:49:56","slug":"data-protection-impact-assessment-esential-aspects","status":"publish","type":"post","link":"https:\/\/letslaw.es\/en\/data-protection-impact-assessment-esential-aspects\/","title":{"rendered":"Data Protection Impact Assessment: Esential aspects"},"content":{"rendered":"<p>By its approval and entry into force, the GDPR introduced in 2018 a new concept in the form of an obligation intended to improve the safeguards for the processing of personal data when the controller detects that there is a high risk. This <strong>new mechanism<\/strong> is known as a Data Protection Impact Assessment (DPIA).<\/p>\n<h2>What is a Data Protection Impact Assessment?<\/h2>\n<p>The DPIA, as defined by the AEPD, is &#8220;<em>a tool that makes it possible to assess in advance the potential risks to which personal data are exposed depending on the processing activities carried out with them<\/em>&#8220;.<\/p>\n<p>This DPIA makes it possible <strong>to determine the implications that a processing operation may have on the rights and freedoms of data subjects<\/strong> where such processing is likely to give rise to a high risk, inter alia, because of the type of personal data to be processed or the environment and context in which the personal data are to be processed, for example, through the use of certain technologies such as artificial intelligence.<\/p>\n<p>The DPIA should be carried out before the processing in question is initiated, as the aim is to measure the impact of the processing before it occurs and thus to detect and mitigate potential risks before they materialise.<\/p>\n<h2>Processing operations that require a DPIA<\/h2>\n<p>The AEPD, following the criteria of the European Data Protection Bureau, has published an indicative list of <strong>processing operations that require a DPIA<\/strong>, these being, among others, the following:<\/p>\n<ul>\n<li>Processing involving the<strong> systematic and extensive observation, monitoring, supervision, geolocation or control of the data subject<\/strong>, including the collection of data and metadata through networks, applications or in publicly accessible areas, as well as the processing of unique identifiers enabling the identification of users of information society services such as web services, interactive TV, mobile applications, etc.<\/li>\n<li>Processing involving the use of <strong>special categories of data, data relating to criminal convictions or offences or data enabling the determination of financial or creditworthiness<\/strong> status or the deduction of information on individuals relating to special categories of data.<\/li>\n<li>Processing operations involving the <strong>use of new technologies or an innovative use of established technologies<\/strong>, including the use of technologies on a new scale, for a new purpose or in combination with other technologies, in a way that involves new forms of data collection and use with a risk to the rights and freedoms of individuals.<\/li>\n<\/ul>\n<h2>What should a DPIA include?<\/h2>\n<p>In carrying out a DPIA, a number of <strong>aspects should be taken into account<\/strong> which should be included in the implementation of the DPIA, the essential aspects being the following:<\/p>\n<ul>\n<li>A<strong> systematic description of the envisaged processing operations and the purposes of the processing<\/strong>, including, where appropriate, the legitimate interest pursued by the controller;<\/li>\n<li>An assessment of the <strong>necessity and proportionality of the processing operations<\/strong> in relation to their purpose;<\/li>\n<li>An <strong>assessment of the risks to the rights and freedoms<\/strong> of data subjects, and<\/li>\n<li>The <strong>measures envisaged to address the risks<\/strong>, including safeguards, security measures and mechanisms to ensure the protection of personal data.<\/li>\n<\/ul>\n<p>The above are the minimum and essential requirements that any DPIA must have in order to be considered correctly carried out by the AEPD, so that <strong>the rights and freedoms of data subjects are guaranteed<\/strong>, but it is always advisable to carry it out as completely as possible in order to proceed with risk processing with all the necessary guarantees.<\/p>\n<h2>Other essential aspects<\/h2>\n<p>Once the DPIA has been carried out, and depending on the processing operations to be carried out (taking into account the types of personal data processed or the context in which they are processed), and even when determining the measures to be applied, it is possible that the risk to the rights and freedoms of data subjects may still be high, which is why, in this case, a prior consultation with the supervisory authority should be carried out.<\/p>\n<p>As the AEPD itself points out, &#8220;<em>the purpose of the consultation with the supervisory authority is not to obtain advice in relation to general aspects of compliance with data protection regulations (legal bases, proportionality, necessity, minimisation, information, data subjects&#8217; rights, etc.), nor to obtain approval of the processing by the supervisory authority&#8221;, but &#8220;its purpose is to guide the controller in relation to those risks that it has not been able to identify or sufficiently mitigate<\/em>&#8220;.<\/p>\n<p>In order to carry out the prior consultation with the supervisory authority, at least <strong>the following information<\/strong> should be provided:<\/p>\n<ul>\n<li>Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular in the case of processing within a corporate group.<\/li>\n<li>The purposes and means of the intended processing.<\/li>\n<li>The measures and safeguards put in place to protect the rights and freedoms of data subjects.<\/li>\n<li>Where applicable, the contact details of the data protection officer.<\/li>\n<li>The DPIA.<\/li>\n<li>Any other information requested by the Supervisory Authority.<\/li>\n<\/ul>\n<p>It is important to carry out the DPIA correctly, when necessary, as carrying out high-risk processing without doing so may result in <strong>administrative fines of up to \u20ac10,000,000<\/strong> or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the previous financial year, whichever is greater.<\/p>\n<p>At <strong>Letslaw<\/strong>\u00a0 we have a <a title=\"Data Protection lawyers - Letslaw\" href=\"https:\/\/letslaw.es\/en\/privacy-data-protection-lawyers\/\">highly experienced team in Data Protection as well as in carrying out DPIA<\/a>, and we can advise you and help you to carry out high-risk processing with the greatest guarantees.<\/p>\n<div class=\"cyp_post_formulario\"><h2>Contact Us<\/h2>\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f3074-o1\" lang=\"es-ES\" dir=\"ltr\" data-wpcf7-id=\"3074\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/14494#wpcf7-f3074-o1\" method=\"post\" class=\"wpcf7-form init wpcf7-acceptance-as-validation\" aria-label=\"Formulario de contacto\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"3074\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"es_ES\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f3074-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/><input type=\"hidden\" name=\"_wpcf7_recaptcha_response\" value=\"\" \/>\n<\/fieldset>\n<div class=\"campo_nombre\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Name\" value=\"\" type=\"text\" name=\"your-name\" \/><\/span><\/div>\n<div class=\"campo_telefono\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-tel datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Phone\" value=\"\" type=\"tel\" name=\"your-phone\" \/><\/span><\/div>\n<div class=\"campo_email\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Email\" value=\"\" type=\"email\" name=\"your-email\" \/><\/span><\/div>\n<div class=\"campo_asunto\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-asunto\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Subject\" value=\"\" type=\"text\" name=\"your-asunto\" \/><\/span><\/div>\n<div class=\"campo_mensaje\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-mensaje\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Message\" name=\"your-mensaje\"><\/textarea><\/span><\/div>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"\" type=\"hidden\" name=\"cyp_form_url\" \/>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"cyp_zonaweb\" type=\"hidden\" name=\"zonaweb\" \/>\n<span class=\"wpcf7-form-control-wrap recaptcha\" data-name=\"recaptcha\"><span data-sitekey=\"6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" class=\"wpcf7-form-control wpcf7-recaptcha g-recaptcha\"><\/span>\r\n<noscript>\r\n\t<div class=\"grecaptcha-noscript\">\r\n\t\t<iframe loading=\"lazy\" src=\"https:\/\/www.google.com\/recaptcha\/api\/fallback?k=6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" frameborder=\"0\" scrolling=\"no\" width=\"310\" height=\"430\">\r\n\t\t<\/iframe>\r\n\t\t<textarea name=\"g-recaptcha-response\" rows=\"3\" cols=\"40\" placeholder=\"Aqu\u00ed la respuesta de reCAPTCHA\">\r\n\t\t<\/textarea>\r\n\t<\/div>\r\n<\/noscript>\r\n<\/span>\n<div style=\"width:100%\">\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important;margin-bottom:15px !important\">\nBy clicking on \"Send\" you accept our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup_ingles\">+ Info<\/a>\n<\/p>\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important\">\n<span class=\"wpcf7-form-control-wrap\" data-name=\"checkbox-173\"><span class=\"wpcf7-form-control wpcf7-checkbox wpcf7-exclusive-checkbox\"><span class=\"wpcf7-list-item first last\"><label><input type=\"checkbox\" name=\"checkbox-173\" value=\"\" \/><span class=\"wpcf7-list-item-label\"><\/span><\/label><\/span><\/span><\/span> I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup\">+ Info<\/a>\n<\/p>\n<\/div>\n<div class=\"vc_col-sm-12 botton-datos-contacto\"><input class=\"wpcf7-form-control wpcf7-submit has-spinner\" type=\"submit\" value=\"Send\" \/><\/div><input type='hidden' class='wpcf7-pum' value='{\"closepopup\":false,\"closedelay\":0,\"openpopup\":false,\"openpopup_id\":0}' \/><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n<div>","protected":false},"excerpt":{"rendered":"<p>This DPIA makes it possible to determine the implications that a processing operation may have on the rights and freedoms of data subjects where such processing is likely to give rise to a high risk.<\/p>\n","protected":false},"author":2,"featured_media":14492,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[258],"tags":[],"class_list":["post-14494","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-law"],"_links":{"self":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/14494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/comments?post=14494"}],"version-history":[{"count":3,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/14494\/revisions"}],"predecessor-version":[{"id":14497,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/14494\/revisions\/14497"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media\/14492"}],"wp:attachment":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media?parent=14494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/categories?post=14494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/tags?post=14494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}