Weiter zum Inhalt

Fundamental Rights, the Normative Keystone of DPIA

Dara Hallinan, Nicholas Martin

DOI https://doi.org/10.21552/edpl/2020/2/6

Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights


The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process.
Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights

Dara Hallinan, FIZ Karlsruhe Leibniz Institute for Information Infrastructure, Germany. For correspondence: <mailto:Dara.Hallinan@fiz-Karlsruhe.de>. Nicholas Martin,Fraunhofer Institute for System and Innovation Research ISI, Germany. For correspondence: <mailto:Nicholas.Martin@isi.fraunhofer.de>. We would like to thank the two anonymous reviewers for their comments on an earlier version of the article. The comments were knowledgeable and insightful and contributed greatly in improving the article.

Empfehlen


Lx-Number Search

A
|
(e.g. A | 000123 | 01)

Export Citation