Datenschutz-Folgenabschätzung/en: Unterschied zwischen den Versionen

According to the General Data Protection Regulation, it must be documented and decided for each processing activity whether a data protection impact assessment (DPIA) is to be carried out. This is done in the course of a data protection impact assessment necessity test.

Related processing activities may be subject to the same DPIA necessity test to declare that a DPIA is or is not necessary for the processing activity.

A DPIA in HITGuard combines the DPIA necessity test and the subsequent DPIA. First, the necessity test is performed and then, depending on the result of the test, the documentation step can either be completed or a DPIA must consequently be performed and thus documented.

In HITGuard, these DPIA can be found and managed under the menu item "Data protection → DPIA".

There is also the possibility to store existing DPIA documents.

Important: A standard DPIA report and likewise a report for the consultation with the data protection authority can be prepared.

Note: If you need less help but more space for filling in the DPIA, you can collapse the right part and hide the explanations.

To create a DPIA, click the "Plus" button in the DPIA overview ("Data protection → DPIA").

To edit a DPIA, double-click on the desired DPIA.

In the following picture you can see an overview of all DPIAs:

Hint: Many of the DPIA's steps offer additional explanatory texts in the right half of the assistant. If you do not need those and wish to hide them, they can be collapsed with the arrow in the top right.

The following describes the review details of a DPIA.

Name: A name for the DPIA is assigned here.

Confirmer: Owners, directors, officers or other legally appointed corporate officers.

Advisor: Those persons who are responsible for the processing activity in the company.

Examiner: The person who processes the DPIA. The user who creates the DPIA in HITGuard is suggested.

Version date: A date for the version of the DPIA must be entered here.

Version number: A version number for the DPIA must be entered here. This is for historization purposes.

Assigned processing activities:

• Here, processing activities can be assigned to the DPIA. The DPIA applies to all assigned PAs.
• A PA can only be assigned to a DPIA if it does not yet belong to any DPIA.
• Main PA: The data of this processing activity are used as the basis for the DPIA and its content, such as linked TOMs, are loaded in. Further PAs can be assigned to the DPIA in order for the DPIA to also apply to them. The further PAs should describe similar processes with similarly high risks. Once at least one PA is linked with the DPIA, one of them must be set as the main PA.
• No deactivated processing activities are available.
• If a processing activity is deactivated, it marked as deactivated here.

The necessity test is the step towards knowing whether a DPIA needs to be performed for the assigned processing activities.

To assess whether a DPIA is necessary, three cases are distinguished:

1. It is an exception to the DPIA.
2. The necessity of the DPIA is specified.
3. A threshold analysis is performed to determine whether a DPIA seems necessary.

A DPIA necessity test or a DPIA may apply to related processing activities. This is the case if the processing activity addresses a similar risk. Therefore, it is possible to link several processing activities to the DPIA in the review details. The processing activity marked as "Main processing activity" is the basis from which HITGuard draws the collected information from the processing activity (e.g., data categories, resources used, etc.) in the DPIA steps of the wizard.

There are cases in which it is not necessary to conduct a data protection impact assessment. These include, among others:

Anticipation: If the processing activities have been reviewed and approved by the data protection authority before May 2018 and have not changed, the data protection impact assessment may be omitted.

Whitelisting: If the processing activity is on the list of types of processing activities that do not require a DPIA that the supervisory authority may establish (Art. 35(5)), the DPIA may be omitted.

Similarity assessment: If the review of similar processing activities reveals similarly high risks due to their nature, scope, circumstances and purpose, then a data protection impact assessment may be carried out jointly (Art. 35 (1) GDPR).

Depending on whether it is an exception or not, either this concludes the necessity test and the DPIA is completed, or it continues with the next step.

Important:

• If "Yes" is selected, reasons must be given as to why no data protection impact assessment is to be carried out!
• "Yes" means that the necessity test has been completed and no further test steps need to be performed.
• If "Yes" is selected, step 6 Consultations and step 7 DPIA result are not deactivated, as that information can still optionally be documented for purposes of completeness. In step 7 one would then choose the option showing that the processing activity complies with data protection guidelines.

Unlike the previous point, this one assumes that there is no exception to the DPIA.

There are cases where it is mandatory to perform a data protection impact assessment. These include:

• Art. 35 (3) GDPR: Concerns automated processing including profiling, extensive processing of special categories of personal data or criminal convictions and offences, and systematic, extensive monitoring of publicly accessible areas.

• Mention on the blacklist: The supervisory authority draws up a list of processing activities for which a DPIA must be performed. Once this list has been published, it must be taken into account here.

Additionally, a rationale for the decision can be recorded.

Important: "Yes" skips the "Threshold analysis" item, as a DPIA is definitely to be performed.

If the necessity of a DPIA is not specified by a clear obligation to perform or not perform it, it is at the discretion of the examiner to assess the necessity of performing the DPIA. The information provided by the Art. 29 Data Protection Working Party will help in this regard. The handling of the list of criteria is recommended using a rule of thumb as follows: A high risk exists in any case if at least two of the criteria of WP 248 (bottom) or at least one of the criteria of Art. 35 GDPR (top) are met. In this case a DPIA should be carried out.

In order to find out which criteria are met, the working paper "248 Criteria of the European Data Protection Board" should be reviewed first!

Subsequently, a decision must be made as to whether a DPIA is to be performed. A justification for this decision must be recorded.

The DPIA necessity test should be performed for every processing activity. With HITGuard, these review steps can be verifiably documented. In some cases, however, the necessity test must be documented for the processing register even though the DPIA has already been performed; for example, it was created together with an external consultant. In this case, you may not want to document another DPIA in HITGuard. For the central collection of your documents in case of contact by the authority, you might like to merge all documents in HITGuard. In this case, you can record that a DPIA has already been performed in this step. Upload the DPIA report here and specify that no further DPIA documentation steps are to be performed in HITGuard.

Important: Setting the "DPIA already done" will disable the following steps of the DPIA , because the DPIA is already in place.

If a DPIA is to be performed in HITGuard, the planned processing activities must first be described.

Art. 35 (7) (a) GDPR requires a systematic description of the planned processing activities including the purpose of the processing. For this purpose, HITGuard will load the purpose of processing already recorded there from the main processing activity. You can supplement this information with additional information, such as area of application, user, etc.

The responsibilities for processing, such as the person responsible for the processing activity or any processors and information on joint processing are also presented to you from the main processing activity.

In this item, norms and standards are to be listed which are used for the processing. This also includes guidelines and data protection certifications (Art. 42 GDPR) as well as approved codes of conduct (Art. 40 GDPR).

Approved rules of conduct are often referred to as "codes of conduct". They are published by a federation or association, such as professional associations or chambers, for example. The association issues the approved rules of conduct as binding specifications to determine the data protection-related conduct of its members. The DPIA must describe whether there are approved rules of conduct pursuant to Art. 40 GDPR to which the company subscribes and whose requirements they implement and comply with.

In the DPIA, a detailed description of the planned processing activities, including the following information, can be found under this item:

• all personal data processed, including information on categories of data subjects, recipients and information on the storage of the data
• the information systems used for this purpose (=operating resources)

HITGuard supports you here, as it lists all relevant information about this that has already been recorded in the main processing activity.

Detailed descriptions of the IT resources used can also be recorded here. Furthermore, documents with visualized representations of IT resources and their dependencies can be stored.

In this item of the DPIA, a detailed account of the planned processing activities, including the following information, is to be recorded:

• Description of the process steps for a detailed account of how the processing activity will work and what will happen.
• Internal and external interfaces as well as data flows.

To clarify the explanation, documents such as data flow diagrams can be attached in this step in addition to capturing a detailed description.

In this point of the DPIA, the necessity and proportionality of the processing activities are justified in accordance with Art. 35 (7) (b) GDPR.

To do this, several points need to be clarified:

• Description of the necessity and proportionality

The necessity and proportionality of the processing activity for the purpose can be explained here with regard to the following information.

• Lawfulness of processing (Art 5 (1) (a) DSGVO):

The lawfulness of the processing activities of each data category are listed here. (Data categories from main processing activity)

• Purpose limitation principle (Art. 5 (1) (b) GDPR):

It must be explained why the processing purposes are determined, clearly defined and lawful.

• Data minimization (Art 5 (1) (c) GDPR):

It must be explained why the data collected are necessary, required and relevant.

• Accuracy (Art 5 (1) (d) GDPR):

It must be described what steps are taken to ensure the quality of the data (accuracy, timeliness, etc.).

Measures and controls that ensure the quality of the data can be linked.

• Storage limitation (Art 5 (1) (e) GDPR):

The storage period (deletion period) of the data including the justification for this must be specified. However, this is already done in the step "Data and resources" and is therefore not listed here.

This point of the DPIA records what is done to grant the personal rights of the data subjects.

Several points of the GDPR must be clarified for this purpose:

• Information obligation (Art 12-14 GDPR) and consent of the data subject (Art 6 GDPR):

It must be described how the data subjects are informed about the processing, which information is provided to you in which way and how the consent for the processing is obtained, if this is required.

For this purpose, measures and controls to demonstrate compliance with the information obligation and consent of the data subject can be linked here.

• Data subject rights (Art 13-22 GDPR):

It must be explained how data subjects can exercise their rights of access, authorization, erasure, restriction of processing, data transfer and objection.

For this purpose, measures and controls to demonstrate compliance with data subjects' rights can be assigned here.

• Commissioned processing (Art 28 GDPR):

It must be explained whether and why the obligations of the processors are clearly defined and contractually regulated.

For this purpose, a list of the processors is displayed. These come from the main processing activity.

• Data transfers to third countries (Art 44-49 GDPR):

It must be explained whether data transfers to countries outside the EU take place and whether and how these data are adequately protected.

For this purpose, a list of recipients to third countries is displayed. This comes from the main processing activity.

• Position of the data subjects

It must be described if and how the data subject's point of view was ascertained.

If it was not ascertained, this must be justified!

Risk assessment involves analyzing risks to the rights and freedoms of the data subjects. I.e., the analysis of the risk is carried out from the perspective of the data subject and not the company. In the process, risks are identified and assessed. This is done in the risk management area of HITGuard. The identified hazard situations - which largely correspond to the concept of risk used in the GDPR - can be linked to the DPIA here.

HITGuard decides on measures and controls to deal with the identified hazard situations. These measures and controls are presented by the tool itself in the DPIA on the basis of the linked hazard situations.

This item records whether the advice of the data protection officer has been sought and whether the data protection authority has been consulted.

Pursuant to Article 35 (2) of the GDPR, the examiner must seek the advice of the data protection officer when carrying out a DPIA, if a data protection officer has been appointed. This consultation, the result thereof, or reasons for not carrying it out can and should be documented here.

If a DPIA shows that the processing would result in a high risk, then the examiner must consult the supervisory authority before processing if they do not or cannot take measures to mitigate the risk. This step can also be documented here in HITGuard by recording the decision of the data protection authority or by referring to the DPIA report.

The result of the DPIA is recorded here.

It can be recorded here whether the assigned processing activities are in alignment with the data protection regulations and may therefore be carried out.

If the processing activities do not currently align with the data protection regulations, they may no longer be carried out. This is why it's possible to create and assign measures and controls that are meant to align the processing activities with the data protection regulations. Then they may be carried out again.

The result selected here is also displayed in the last step of the assigned processing activities.