Implementing Regulation of PDPL Article 25 makes it mandatory for Controllers to conduct a written Data Protection Impact Assessment (DPIA) whenever certain high-risk personal data processing activities are planned. It lists specific scenarios—such as processing sensitive data or using new technologies—that trigger the requirement. The DPIA must detail the processing’s purpose, data types, risks to individuals, and safeguards. If the DPIA reveals privacy harms, the Controller must revise and redo the assessment before proceeding.
If your processing activities involve sensitive data, automation, profiling, or high-risk individuals, you must conduct and document a DPIA before proceeding.
Implementing Regulation of PDPL Article 25 (1)
DPIA Mandatory Triggers
The Controller shall prepare a written and documented assessment of the potential impacts and risks that may affect the Data Subject as a result of Personal Data Processing. Impact assessment shall be conducted in the following cases:
Implementing Regulation of PDPL Article 25 (1) (a-d)
High-Risk Situations
a) Processing of Sensitive Data.
b) Collecting, comparing, or linking two or more sets of Personal Data obtained from different sources.
c) The activity of the Controller includes – continuous and large scale – Processing of Personal Data of those who fully or partially lack legal capacity, or Processing operations that by their nature require continuous monitoring of Data Subjects, or Processing Personal Data using new technologies, or making decisions based on automated Processing of Personal Data.
d) Providing a product or service that involves Processing Personal Data that is likely to cause serious harm to the privacy of Data Subjects.
Implementing Regulation of PDPL Article 25 (2)
DPIA Minimum Contents
The impact assessment shall include at least the following elements:
Implementing Regulation of PDPL Article 25 (2) (a-h)
Assessment Components
a) Purpose of the Processing and its legal basis.
b) Description of the nature of the Processing to be conducted, the types and sources of Personal Data to be processed, and any entities to whom the Personal Data is to be Disclosed.
c) Description of the scope of the Processing, which identifies the type of Personal Data and the geographical scope of the Processing.
d) Description of the context of the Processing, which identifies the relationship between the Data Subjects, the Controller, and the Processors, as well as any other relevant circumstances.
e) Necessity and proportionality of the measures to be taken to enable the Controller and Processors to process the minimal Personal Data necessary to achieve the purposes of the Processing.
f) Impact of the Processing, based on the severity of its impact, materially and morally, and the likelihood of any negative impact on Data Subjects, including any psychological, social, physical, or financial impact, and the likelihood of their occurrence.
g) Measures that will be taken to prevent or limit the risks.
h) The suitability of the measures envisaged to avoid identified risks.
Implementing Regulation of PDPL Article 25 (3)
Share with Processor
The Controller shall provide a copy of the impact assessment to any Processor acting on its behalf in relation to the relevant Processing.
Implementing Regulation of PDPL Article 25 (4)
Reassess if Risky
The Controller shall – if the assessment mentioned in this article indicates that the Processing operation will harm the privacy of the Data Subjects – address the reasons for that and re-conduct the assessment.
Explanation of Implementing Regulation of PDPL Article 25
DPIAs are required in high-risk processing scenarios:
Implementing Regulation of PDPL Article 25 (1) says, controllers must do a DPIA when handling sensitive data, profiling, linking datasets, or using emerging tech.
Sensitive data, profiling, children, automated decisions:
Implementing Regulation of PDPL Article 25 (1) (a-d) says, specific cases like automated decisions, vulnerable groups, or serious privacy risks demand impact assessments.
What to include in the DPIA:
Implementing Regulation of PDPL Article 25 (2) says, DPIA must describe purpose, legal basis, data scope, context, risks, impacts, and mitigation steps.
Clear structure for risk, harm, and safeguards:
Implementing Regulation of PDPL Article 24 (2) (a-h) says, includes harm likelihood, categories of impact (psychological, financial, etc.), and mitigation plan evaluation.
Processors must receive the relevant DPIA:
Implementing Regulation of PDPL Article 25 (3) says, controllers must provide their processors with a copy of the relevant DPIA for the processing activities involved.
Modify and redo the DPIA if harm is expected:
Implementing Regulation of PDPL Article 25 (4) says, if risks to data subjects are found, the Controller must adjust the processing plan and conduct a new DPIA.
