Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

 Data Protection Commission issues draft Data Protection Impact Assessment list for public consultation.

 

Introduction
 
Article 35 of General Data Protection Regulation (“GDPR”) prescribes that a Data Protection Impact Assessment (“DPIA”) shall be conducted by a controller where a type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. The GDPR also sets out a number of specific instances in which controllers must conduct a DPIA. If required, a DPIA must be completed prior to the commencement of the relevant data processing.
 
The GDPR further requires national data protection authorities to adopt and publish, under Article 35(4) of the GDPR, a list of the kind of processing operations for which a DPIA is required.
 
Prior to adoption, this list must be approved by the European Data Protection Board (EDPB) where it includes processing operations relating to the provision of goods and services to individuals or the monitoring of their behaviour in several Member States or which may substantially affect the free movement of data within EU.
 
In accordance with the requirements of the GDPR, the Irish Data Protection Commission (“DPC”) has prepared a draft list of processing operations for which it considers it is mandatory to conduct a DPIA. The list is intended to encompass both national and cross-border data processing.
 
With a view to finalising the proposed list for submission to the EDPB for approval, the DPC is issuing its draft DPIA list for public consultation.
 
The submissions received by the DPC from this consultation will be used for the purposes of finalising the draft DPIA list for submission to the European Data Protection Board and for the purposes of any future guidance materials which the DPC may produce. The submissions may also be shared with other supervisory authorities and other members of the European Data Protection Board.
 

 

Stakeholder submissions are welcome by 4 July 2018 by email to consultation@dataprotection.ie.      

 

Full document here