A term defined by the European Data Protection Supervisor. “The DPIA process aims at providing assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’ where it is needed the most, i.e. for ‘risky’ processing operations. A DPIA is in particular required for: systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and that produce legal effects concerning the natural person or similarly significantly affect the natural person; processing on a large scale of special categories of data referred to in Article 10, or of personal data relating to criminal convictions and offences referred to in Article 11; or systematic monitoring of a publicly accessible area on a large scale. The European Data Protection Supervisor has established a template allowing controllers to assess whether they have to do a DPIA [annex 6 to Part I of the accountability toolkit].” For more information see: https://edps.europa.eu/data-protection/notre-r%C3%B4le-en-tant-que-contr%C3%B4leur/data-protection-impact-assessment-dpia_en
