Data protection impact assessment

65.(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of an individual, the data controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

(2) A single assessment pursuant to subsection (1) may address a set of similar processing operations that present similar high risks.

(3) The data controller shall seek the advice of the data privacy officer, where designated, when carrying out a data protection impact assessment.

(4) A data protection impact assessment referred to in subsection (1) shall in particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning an individual or similarly significantly affect the individual;

(b) processing on a large scale of sensitive personal data; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

(5) The Commissioner shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to subsection (1) and the Commissioner shall publish that list in the Official Gazette.

(6) The Commissioner shall establish and make public a list of the kind of processing operations where no data protection impact assessment is required and the Commissioner shall publish that list in the Official Gazette.

(7) A data protection impact assessment referred to in subsection (1) shall contain

(a) systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in subsection (1); and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act taking into account the rights and legitimate interests of data subjects and other persons concerned.

(8) Where appropriate, the data controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

(9) Where necessary, the data controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.