Data protection impact assessments
Author | Michèle Finck |
Pages | 87-88 |
Blockchain and the General Data Protection Regulation
87
9.Data protection impact assessments
Where data processing is likely to result in a high risk to fundamental rights, the controller ought
to take preventive action and carry out a Data ProtectionImpact Assessment ('DPIA') to determine
the impact of processing on personal data protection. 529DPIAs are evaluations of the impact of the
planned processing operations on data subjects that ought to be carried out by data controllers
where the nature, scope, context and purposes of processing are of high risk to the rights and
freedoms of natural parties, which can be the case in particular where new technologies are used.530
This is required in particular where there is a 'a systematic and extensive evaluation of personal
aspects relating to natural persons which is based on automated processing, including profiling,
and on which decisions are based that produce legal effects concerning the natural person or
similarly significantly affect the natural person'.531
Under Article 35GDPR, such impact assessments are recommended in particular where
processing involves (i) a systemic and extensive evaluation of personal aspects of natural persons
based on automated processing; (ii) sensitive data and data related tocriminal convictions and
offences or (iii) where the systematic monitoring of a publicly accessible area on large scale is
involved.532Where a DPIA indicates that processing results in a high risk for data subjects and no
measures to mitigate the risks canbe taken, the controller is required to inform the supervisory
authority.533
Pursuant to Article 35(7) GDPR, this assessment ought to provide a systematic description of the
purposes and processing activities (as well as, where applicable, any assessment ofthe legitimate
interest of the controller to process personal data), an assessment of the necessity and
proportionality of the processing (in relation to the purpose), an assessment of the risks and rights
and freedoms of data subjects as well as the envisaged measu res to address such risks.
It is important to stress that the need for a DPIA arises not so much because a specific
technology is used but rather because the processing in question is deemed particularly risky,
such as where a large scale of special categories of data or data related to criminal convictions or
offenses is processed534or a publicly accessible area is systemically monitored on a large scale.535
The need for a data protection impact assessment thus arises where there is a high risk for data
subjects, rather than through the use of a particular technology.
Nonetheless, the use of a new technology may in itself be considered as giving rise to a high risk.
Indeed, the United Kingdom's Data Protection Authority considers that a DPIA must be carried out
whenever a new technologyis used.536What qualifies as a new technology is, however, notoriously
difficult to define as any innovation always builds on previous innovations. Indeed, it has been noted
in the introductory section that although blockchain can clearly be considered 'new' it is essentially
based on a number of innovations that date back to a few decades ago. Further, one may wonder
whether even though one assumes that blockchain is a new technology, for what period it can be
529Article 35 (1) GDPR.
530Article 35(1) GDPR.
531Article 35 (3)(a) GDPR.
532Article 35(3) GDPR.
533Article 36(1) GDPR.
534Article 35 (3)(b) GDPR.
535Article 35 (3)(c) GDPR.
536https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-
governance/data-protection-impact-assessments/
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
Get Started for FreeUnlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
