Article 35 GDPR (Data Protection Impact Assessment)

Article 35 of GDPR: Data Protection Impact Assessment

Article 35 of GDPR is an important article relating to how companies assess data processing activities that may be considered as high risk for the data subjects.

High-risk data processing (Article 35(1) GDPR)

When a company intends to engage in personal data processing activities that may result in a high risk to the data subjects concerned in light of the technologies used, nature, scope, context and purpose of the data processing, a data protection impact assessment must be done before carrying out the data processing.

A data protection impact assessment or DPIA can be with regards to one single type of data processing or a combination of processing operations that may result in a high risk to data subjects.

Data protection officer’s advice (Article 35(2) GDPR)

In case a company intends to process data that may be considered as high risk to data subjects, prior to processing the data, an organization must perform a data protection impact assessment.

In this context, a company should consult with its data protection officer when carrying out the impact assessment.

When a data protection impact assessment is required (Article 35(3) GDPR)

GDPR specifies certain specific instances when a DPIA will be required.

If a company performs the following type of data processing operations, it is mandatory to perform a data protection impact assessment:

  1. When a company systematically and extensively evaluates the personal aspects relating to individuals based on automated processing producing legal effects on individuals or significantly affects them (Article 35(3)(a) GDPR)
  2. When a company processes special categories of data or personal data relating to criminal convictions and offences (Article 35(3)(b) GDPR)
  3. When a company systematically monitors public accessible area on a large scale (Article 35(3)(c) GDPR)

Public list of data processing operations requiring a DPIA (Article 35(4) GDPR)

GDPR empowers the supervisory authority to establish and publish a list of the type and kind of data processing activities that will require a data protection impact assessment to be done prior to the collection, processing and storage of personal data.

Public list of data processing operations not requiring a DPIA (Article 35(5) GDPR)

Similarly, GDPR empowers the supervisory authority to establish and publish a list of data processing activities that will not require a data protection impact assessment. 

Application of the consistency mechanism (Article 35(6) GDPR)

Prior to adopting a list of any kind, the supervisory authority should apply the consistency mechanism provided under GDPR:

  1. where the lists involve the processing activities of goods and services or with respect to the monitoring of data subject behaviour in several European Union member states
  2. if the data processing operations may substantially affect the free movement of personal data within the European Union

Content of the data protection impact assessment (Article 35(7) GDPR)

Article 35(7) outlines the content of the DPIA.

At a minimum, the data protection impact assessment must include the following items:

  1. A description of the data processing operations, the purpose of the processing along with legitimate interest of the organization (Article 35(7)(a) GDPR)
  2. An assessment of the necessity of the data processing operations and its proportionality in relation to its purpose (Article 35(7)(b) GDPR)
  3. An evaluation of the risk to the data subjects (Article 35(7)(c) GDPR)
  4. The manner the company will address and mitigate risk along with the data protection safeguards to be put in place to demonstrate compliance with GDPR (Article 35(7)(d) GDPR)

Assessing a company’s adherence to code of conduct (Article 35(8) GDPR)

For the purpose of the data protection impact assessment, a data controller or data processor’s adherence to an approved code of conduct should be taken into consideration when assessing the impact of the data processing operations on the data subjects.

Obtaining the view of data subjects (Article 35(9) GDPR)

If feasible depending on the commercial interest of an organization or depending on the interest of the public, a company should strive to get the view of data subjects or their representatives with respect to the intended data processing operations.

Exemption to get a DPIA (Article 35(10) GDPR)

If a contemplated data processing operation is based on a legal obligation imposed on the data controller and that a data protection impact assessment was done by the Europen Union member country when adopting the law, then an organization is exempt to perform the DPIA again unless each EU member state requires it nonetheless.

Review of data processing activities (Article 35(11) GDPR)

When an organization processes personal data based on a DPIA, it must review its data processing operations at least whenever there is a change in the level of risk related to the processing activities.

Recitals applicable to Article 35 of GDPR

Relevant Recitals: 75, 84, 89, 90, 91, 92, 93

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 35 or relevant recitals

Directive 95/46/EC

GDPR Text: Article 35 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)