Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. DPIA SUMMARY OF DATA PROTECTION IMPACT ASSESSMENT Has been conducted ☐ Has not been conducted ☒ A screening exercise was undertaken by National Monuments Service to determine if a Data Protection Impact Assessment was required under GDPR Article 36. From which it was determined there was unlikely to be any high risk to the rights and freedoms of data subjects. Accordingly, a full Data Protection Impact Assessment has not been conducted Under S.20(4) of Data Sharing and Governance Act, an amended draft agreement must be submitted for review to the Data Governance Board in accordance with Part 9, Chapter 2 of the Data Sharing and Governance Act.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. Has been conducted [select appropriately] ☐ Has not been conducted [select appropriately] ☒ DAFM, as Lead Agency and in accordance with its own policies and procedures as a Data Controller, has conducted an evaluation in order to determine whether a DPIA is necessary. As part of this evaluation, it considered that this processing was in place prior to 25 May 2018, that data is not being processed for a new purpose and no changes to how this data is processed have been made. DPIA was not conducted as the process does not involve:A systematic and extensive evaluation of personal aspects related to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning individuals or similarly significantly affect individuals A systematic monitoring of a publicly accessible area of a large scale Under S.20(4) of Data Sharing and Governance Act, an amended draft agreement must be submitted for review to the Data Governance Board in accordance with Part 9, Chapter 2 of the Data Sharing and Governance Act.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. DPIA Select SUMMARY OF DATA PROTECTION IMPACT ASSESSMENT Has been conducted ☒ Although this activity does not meet the threshold for conducting a DPIA, Bord Bia has conducted one as a matter of good practice. This activity relates to the additional new use of personal data already shared by DAFM with Bord Bia. The new use involves analysis of AIM data to identify farms that may not be compliant with a new QA Scheme audit criterion. The new criterion addresses the issue of calf management by setting a high threshold to end the practice of slaughtering healthy young calves. The farms identified will be audited and farmers will be given the opportunity to address these issues and improve their practises before sanctions are applied. Sanctions will include the withdrawal of membership from the Scheme. The dairy and meat and livestock industry, as a whole, has a legitimate interest in protecting its reputation. Bord Bia is tasked with operating Quality Assurance Schemes and promoting Ireland’s food, drink and horticulture industries. 1. an assessment of the necessity and proportionality of the processing operations in relation to the purposes There is minimal personal data used in this activity. It is proportionate because there is a genuine requirement to protect the integrity of the dairy industry and the reputation of the relevant Schemes to reduce poor practise by a limited number of farmers in this area. As the processing does not involve any immediate sanctions being placed on farmers, and there is an opportunity to address nonconformance before sanctions are applied, this is deemed proportionate. 2. an assessment of the risks to the rights and freedoms of data subjects 3. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and...
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. DPIA SUMMARY OF DATA PROTECTION IMPACT ASSESSMENT Has been conducted ☐ Has not been conducted ☒ A DPIA was not deemed to be necessary as the processing of this data does not adversely impact on the rights and freedoms of the data subject. The DFA, as Lead Agency and in accordance with its own policies and procedures as a Data Controller, has conducted an evaluation in order to determine whether a DPIA is necessary. As part of this evaluation it considered that this processing was in place prior to 25 May 2018, that data is not being processed for a new purpose and no changes to how this data is processed have been made. The processing involves the data of a very small subset of persons, being citizens who have been seriously injured or are deceased abroad and details of their Next of Kin. In addition, information on the processing, including the sharing of information with AGS is available on the DFA website. Information for data subjects on how AGS processes personal data in the exercise of its statutory functions is available on the Garda website. The DFA and the AGS have applied the principle of data minimisation to the data being transmitted. Given the security measures in place, the means of transmission and subsequent storage any potential risk to the data or individuals is further minimised. It is on this basis that both the DFA and the AGS have concluded that there is not a need to complete a DPIA in relation to this processing.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. DPIA SUMMARY OF DATA PROTECTION IMPACT ASSESSMENT Has been conducted [select appropriately] ☐ [To include a summary of the matters referred to in Article 35(7) GDPR)] The summary shall contain at least: 1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 3. an assessment of the risks to the rights and freedoms of data subjects; 4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. Has not been conducted [select appropriately] ☒ A DPIA has not been conducted for the following reasons: 1. The processing of this data is unlikely to result in a high risk to the rights and freedoms of natural persons. 2. The IIP applicant is made aware that their data will be shared with Revenue. 3. Ireland shares this data with other jurisdictions in order to meet its commitments under the OECD’s Common Reporting Standards See Appendix A for further information. Under S.20(4) of Data Sharing and Governance Act, an amended draft agreement must be submitted for review to the Data Governance Board in accordance with Part 9, Chapter 2 of the Data Sharing and Governance Act.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. Has been conducted [select appropriately] ☐ N/A Has not been conducted [select appropriately] ☒ [A DPIA was not deemed to be necessary as the processing of data does not adversely impact on the rights and freedoms of the data subject] Under S.20(4) of Data Sharing and Governance Act, an amended draft agreement must be submitted for review to the Data Governance Board in accordance with Part 9, Chapter 2 of the Data Sharing and Governance Act.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. conducted [select ☐ appropriately] A DPIA was not deemed to be necessary as the processing of this data does not adversely impact on the rights and freedoms of the data subject. The DFA, as Lead Agency and in accordance with its own policies and procedures as a Data Controller, has conducted an evaluation in order to determine whether a DPIA is necessary. As part of this evaluation it considered that this processing was in place prior to 25 May 2018, that Has not been conducted [select appropriately] ☒ data is not being processed for a new purpose and no changes to how this data is processed have been made. The processing involves the data of a very small subset of applicants for an Emergency Travel Certificate and that information on the processing, including the sharing of information with the HSE, is available on the DFA website. The DFA and the HSE have applied the principle of data minimisation to the data being transmitted. Given the security measures in place, the means of transmission and subsequent storage any potential risk to the data or individuals is further minimised. It is on this basis that both the DFA and the HSE have concluded that there is not a need to complete a DPIA in relation to this processing.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. Has been conducted ☐ Has not been conducted ☒ This processing has been carried out since the CEB Dissolution Act 2014. This is not new processing and the data is not considered high risk. There is no new technology involved in the processing and no automated decision making, profiling or monitoring of data subjects. The processing is not deemed necessary for a DPIA according to the DPC guidelines. Therefore a DPIA was not conducted. Under S.20(4) of Data Sharing and Governance Act, an amended draft agreement must be submitted for review to the Data Governance Board in accordance with Part 9, Chapter 2 of the Data Sharing and Governance Act.
Schedule A - Data Protection Impact Assessment. If a data protection impact assessment (DPIA) has been conducted in respect of the data sharing to which this Data Sharing Agreement relates, a summary of the matters referred to in Article 35(7) of the GDPR is required to be filled in the table below. If a data protection impact assessment has not been conducted as it is not mandatory where processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 of the GDPR), outline the reasons for that decision in the table below. conducted [select ☐ appropriately] A screening exercise was undertaken by National Monuments Has not been conducted [select appropriately] ☒ Service to determine if a Data Protection Impact Assessment was required under GDPR Article 36 from which it was determined there was unlikely to be any high risk to the rights and freedoms of data subjects. Accordingly, a full Data Protection Impact Assessment has not been conducted.
