The Dutch data protection authority, Autoriteit Persoonsgegevens, has released its final list of the data-processing activities that require a data protection impact assessment. The AP states a DPIA should be conducted when biometric and sensitive information is processed, as well as when data is processed at a large scale. The agency identified systems that use automated-decision making as another instance when a DPIA should be performed. The AP, as well as other DPAs within the European Union, had sent previous DPIA lists to the European Data Protection Board, which subsequently offered its opinion on each submission. (Original article is in Dutch.)
If you want to comment on this post, you need to login.