Data protection impact assessments

AuthorMichèle Finck
Blockchain and the General Data Protection Regulation
9. Data protection impact assessments
Where data processing is likely to result in a high risk to fundamental rights, the controller ought
to take preventive action and carry out a Data Protection Impact Assessment ('DPIA') to determine
the impact of processing on personal data protection. 529 DPIAs are evaluations of the impact of the
planned processing operations on data subjects that ought to be carried out by data controllers
where the nature, scope, context and purposes of processing are of high risk to the rights and
freedoms of natural parties, which can be the case in particular where new technologies are used.530
This is required in particular where there is a 'a systematic and extensive evaluation of personal
aspects relating to natural persons which is based on automated processing, including profiling,
and on which decisions are based that produce legal effects concerning the natural person or
similarly significantly affect the natural person'.531
Under Article 35 GDPR, such impact assessments are recommended in particular where
processing involves (i) a systemic and extensive evaluation of personal aspects of natural persons
based on automated processing; (ii) sensitive data and data related to criminal convictions and
offences or (iii) where the systematic monitoring of a publicly accessible area on large scale is
involved.532 Where a DPIA indicates that processing results in a high risk for data subjects and no
measures to mitigate the risks can be taken, the controller is required to inform the supervisory
Pursuant to Article 35(7) GDPR, this assessment ought to provide a systematic description of the
purposes and processing activities (as well as, where applicable, any assessment of the legitimate
interest of the controller to process personal data), an assessment of the necessity and
proportionality of the processing (in relation to the purpose), an assessment of the risks and rights
and freedoms of data subjects as well as the envisaged measu res to address such risks.
It is important to stress that the need for a DPIA arises not so much because a specific
technology is used but rather because the processing in question is deemed particularly risky,
such as where a large scale of special categories of data or data related to criminal convictions or
offenses is processed534 or a publicly accessible area is systemically monitored on a large scale.535
The need for a data protection impact assessment thus arises where there is a high risk for data
subjects, rather than through the use of a particular technology.
Nonetheless, the use of a new technology may in itself be considered as giving rise to a high risk.
Indeed, the United Kingdom's Data Protection Authority considers that a DPIA must be carried out
whenever a new technology is used.536 What qualifies as a new technology is, however, notoriously
difficult to define as any innovation always builds on previous innovations. Indeed, it has been noted
in the introductory section that although blockchain can clearly be considered 'new' it is essentially
based on a number of innovations that date back to a few decades ago. Further, one may wonder
whether even though one assumes that blockchain is a new technology, for what period it can be
529 Article 35 (1) GDPR.
530 Article 35(1) GDPR.
531 Article 35 (3)(a) GDPR.
532 Article 35(3) GDPR.
533 Article 36(1) GDPR.
534 Article 35 (3)(b) GDPR.
535 Article 35 (3)(c) GDPR.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT