Art. 35 high Severity GDPR European Union

GDPR Article 35 — Data protection impact assessment

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
DPIA required before starting high-risk processing: large-scale profiling, processing sensitive data at scale, or systematic public monitoring. Must be done BEFORE you start.

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

A data protection impact assessment shall in particular be required in the case of: a systematic and extensive evaluation of personal aspects based on automated processing including profiling; processing on a large scale of special categories of data; or a systematic monitoring of a publicly accessible area on a large scale.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M