Lexicon > Data privacy impact assesment (DPA)

IT Glossary

Data privacy impact assessment (DPA)

The personal data protection impact assessment is the evaluation of the risks for the rights and freedoms of individuals that may be generated by a personal data processing operation.

It is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons.

In particular, the data controller must perform this analysis when:

  • The processing is on the list published by the CNIL for which an impact analysis is mandatory; OR
  • The treatment meets at least two of the following criteria:
    • Assessment or grading;
    • Automated decision making with legal or similar significant effect;
    • Systematic Monitoring;
    • Sensitive or highly personal data;
    • Data processed on a large scale;
    • Cross-referencing or combining data sets;
    • Data concerning vulnerable persons ;
    • Innovative use or application of new technological or organizational solutions;
    • Prevents the exercise of a right or the benefit of a service or contract.

In particular, the analysis must include the measures, safeguards and mechanisms envisaged to mitigate the risk to the rights and freedoms of natural persons, ensure data protection and demonstrate compliance with the GDPR.

The results of this analysis must in any case determine the appropriate measures to be taken to demonstrate that the processing of personal data complies with the GDPR.

When the analysis shows that the processing involves a risk that is deemed to be high, and the controller cannot mitigate that risk by taking adequate measures in view of the available techniques and the costs associated with their implementation, the controller must notify the supervisory authority before implementing the processing in the context of a prior consultation.

GDPR Point

“The assessment shall contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”

Article 35(7) of the GDPR

Point of jurisprudence

The CNIL was able to call the Ministry of Solidarity and Health to order for not having described “the totality of the personal data processing operations in connection with the StopCovid Franc application and the measures to limit the risks, the impact analysis established by the Ministry of Solidarity and Health does not fully meet the requirements of Article 35 of the RGPD.”

CNIL, July 15, 2020, N°MED-2020-015

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.