The General Data Protection Regulation (GDPR) obliges Data Processors to carry out a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
While the GDPR does not contain specific detailed definitions or guidelines when this is necessary, it authorizes local data protection authorities to publish a substantiating list of the kind of processing operations which do or do not require a DPIA. While the Austrian data protection authority (Datenschutzbehörde) released a Whitelist of data processing operations generally exempt from a DPIA already in May 2018, now also the relevant Blacklist has been published. Any data processing activities included in such Blacklist are subject to a mandatory DPIA in accordance with Art 35 GDPR. This in particular may be the case for data processing operations including activities like profiling, automated evaluations, surveillance, extended use of special categories of personal data, etc.
We advise to review existing activities under these criteria to take any required measures. The DPIA is to be documented and presented to the authorities on request. Violations of such obligations may result in significant fines.
We are happy to assist in such assessment. In this case please contact us under telephone no. +43 1 494 63 63 or email firstname.lastname@example.org.