Common use of Evaluation for a Data Protection Impact Assessment (DPIA Clause in Contracts

Evaluation for a Data Protection Impact Assessment (DPIA. The completion of a DPIA can help data controllers to meet their obligations in relation to data protection law. Article 35 of the GDPR sets out when a DPIA is required. Data controllers should periodically re-evaluate the risk associated with existing processing activities to understand if a DPIA is now required. 1.1 Identifying if a DPIA is required The below checklist can assist organisations to understand if they require a DPIA pursuant to Article 35 GDPR to support their data sharing agreement. The questions should be answered in relation to the entire project that the data share corresponds to. This ensures that Public Service Bodies (PSBs) have the opportunity to be transparent in the evaluation of risks in relation to the data required for this process. The completion of a DPIA is relevant to this data sharing agreement as you will be asked to provide a summary of any DPIA carried out in Section 16 of this document. The questions below should be completed by the Lead Agency together with the Other Parties involved in this data sharing agreement. Please contact your DPO in relation to the requirement to carry out a DPIA. DOES THE PROCESS INVOLVE: YES/NO 1.1.1 Processing being carried out prior to 25th May 2018? YES Table 1.1 If ‘Yes’ proceed to 1.2 If ‘No’ proceed to 1.1.2 DOES THE PROCESS INVOLVE: YES/NO 1.1.2 A new purpose for which personal data is processed? Choose Y/N 1.1.3 The introduction of new types of technology? Choose Y/N If ‘Yes’ to either of the last two questions, proceed to 1.1.4. If ‘No’ to both of the last two questions, proceed to 1.2. DOES THE PROCESS INVOLVE: YES/NO 1.1.4 Processing that is likely to result in a high risk to the rights and freedoms of natural persons? Choose Y/N If ‘Yes’, then you are likely required to carry out a DPIA under Article 35 GDPR. If ‘No’ proceed to 1.2.

Evaluation for a Data Protection Impact Assessment (DPIA. The completion of a DPIA can help data controllers to meet their obligations in relation to data protection law. Article 35 of the GDPR sets out when a DPIA is required. Data controllers should periodically re-evaluate the risk associated with existing processing activities to understand if a DPIA is now required. 1.1 Identifying if a DPIA is required The below checklist can assist organisations to understand if they require a DPIA pursuant to Article 35 GDPR to support their data sharing agreement. The questions should be answered in relation to the entire project that the data share corresponds to. This ensures that Public Service Bodies (PSBs) have the opportunity to be transparent in the evaluation of risks in relation to the data required for this process. The completion of a DPIA is relevant to this data sharing agreement as you will be asked to provide a summary of any DPIA carried out in Section 16 of this document. The questions below should be completed by the Lead Agency together with the Other Parties involved in this data sharing agreement. Please contact your DPO in relation to the requirement to carry out a DPIA. DOES THE PROCESS INVOLVE: YES/NO 1.1.1 Processing being carried out prior to 25th May 2018? YES Table 1.1 NO If ‘Yes’ proceed to 1.2 If ‘No’ proceed to 1.1.2 DOES THE PROCESS INVOLVE: YES/NO 1.1.2 A new purpose for which personal data is processed? Choose Y/NYES 1.1.3 The introduction of new types of technology? Choose Y/N If ‘Yes’ to either of the last two questions, proceed to 1.1.4. If ‘No’ to both of the last two questions, proceed to 1.2. DOES THE PROCESS INVOLVE: YES/NO 1.1.4 Processing that is likely to result in a high risk to the rights and freedoms of natural persons? Choose Y/N If ‘Yes’, then you are likely required to carry out a DPIA under Article 35 GDPR. If ‘No’ proceed to 1.2.

Evaluation for a Data Protection Impact Assessment (DPIA. The completion of a DPIA can help data controllers to meet their obligations in relation to data protection law. Article 35 of the GDPR sets out when a DPIA is required. Data controllers should periodically re-evaluate the risk associated with existing processing activities to understand if a DPIA is now required. 1.1 Identifying if a DPIA is required The below checklist can assist organisations to understand if they require a DPIA pursuant to Article 35 GDPR to support their data sharing agreement. The questions should be answered in relation to the entire project that the data share corresponds to. This ensures that Public Service Bodies (PSBs) have the opportunity to be transparent in the evaluation of risks in relation to the data required for this process. The completion of a DPIA is relevant to this data sharing agreement as you will be asked to provide a summary of any DPIA carried out in Section 16 of this document. The questions below should be completed by the Lead Agency together with the Other Parties involved in this data sharing agreement. Please contact your DPO in relation to the requirement to carry out a DPIA. DOES THE PROCESS INVOLVE: YES/NO 1.1.1 Processing being carried out prior to 25th May 2018? YES Table 1.1 If ‘Yes’ proceed to 1.2 If ‘No’ proceed to 1.1.2 DOES THE PROCESS INVOLVE: YES/NO 1.1.2 A new purpose for which personal data is processed? Choose Y/N 1.1.3 The introduction of new types of technology? Choose Y/N If ‘Yes’ to either of the last two questions, proceed to 1.1.4. If ‘No’ to both of the last two questions, proceed to 1.2. DOES THE PROCESS INVOLVE: YES/NO 1.1.4 Processing that is likely to result in a high risk to the rights and freedoms of natural persons? Choose Y/N If ‘Yes’, then you are likely required to carry out a DPIA under Article 35 GDPR. If ‘No’ proceed to 1.2.