Further to Article 35(4) and (6) GDPR, the competent supervisory authorities, i.e., the CNPD in Luxembourg, must establish a list of the kind of processing operations which are likely to result in a high risk for the rights and freedoms of data subject and, hence, subject to the requirement for a data protection impact assessment (hereinafter “DPIA”). Such lists come in addition to the examples of «high risk» situations foreseen in Article 35(3) GDPR.
According to Article 35 GDPR, the carrying out of a so-called data protection impact assessment (DPIA) is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”, especially when a new data processing technology is being introduced and/or taking into account the...
|