After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment
According to Article 35 of the General Data Protection Regulation (GDPR), data controllers are obliged to carry out a Data protection impact assessment (PIA) prior to the implementation of such processing activities when, taking into account their nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons. According to the GDPR the risk will increase when the processing is carried out using “new technologies”.
Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.
Clique aqui para conferir a lista.