The Privacy Impact Assessment (DPIA – Data Protection Impact Assessment) is carried out for those data processing operations that present specific risks to the rights of data subjects (see Art. 35(1) GDPR “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”). The Model (based on the Guidelines on Data Protection Impact Assessment available at ec.europa.eu/newsroom/article29/item-detail.cfm) and the procedure for DPIAs will be prepared and assessments will be carried out on the processing considered at risk. In particular, the main risks arising from these processing activities will be outlined and then assessed using a methodology derived from the ISO/IEC 27005:2018 standard. Finally, if the detected risk levels are assessed as medium to high, further safety measures will be defined in order to mitigate them.
