Personal Data Protection Impact Assessment

Article 23. Data protection impact assessment – Law no. 133/2011 on personal data protection

1. Depending on the nature, scope, context and purposes of the data processing, where a type of processing, in particular that based on the use of new technologies, is likely to pose an increased risk to the rights and freedoms of persons, the controller carry out, before processing, the assessment of the impact of the intended processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar increased risks.

2. When carrying out the data protection impact assessment, the controller shall seek the opinion of the data protection officer, if he has been designated.

(3) The data protection impact assessment indicated in par. (1) is required in particular in the case of:

a) systematic and comprehensive assessment of personal matters relating to natural persons, which are based on automatic processing, including profiling, and which are based on automated decisions which produce legal effects on the natural person or which affect him in a similar way , to a significant extent;

b) the processing, on a large scale, of certain categories of data relating to the disclosure of racial or ethnic origin, political opinions, religious denominations or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for unique identification of a natural person, data on health or data on sexual life or sexual orientation, on criminal convictions and offenses of a natural person;

c) the systematic monitoring, on a large scale, of an area accessible to the public.

4. The assessment shall include at least:

a) a systematic description of the intended processing operations and the purposes of the data processing, including, where appropriate, the legitimate interest pursued by the controller;

b) the assessment of the necessity and proportionality of the processing operations in relation to the respective purposes;

c) the risk assessment for the rights and freedoms of the data subjects mentioned in par. (1), in particular the origin (source), the nature, the specific degree of likelihood of occurrence of the increased risk and the severity of that risk. The result of the assessment shall be taken into account in determining the appropriate measures to be taken to demonstrate that the processing of personal data complies with this law;

d) risk prevention measures, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the provisions of this law, taking into account the rights and legitimate interests of data subjects and other interested persons.

5. The controller shall, where appropriate, request written, electronic or electronic advice from the data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.

(6) If the processing pursuant to art. 5 para. (5) lit. b) or d) has a legal basis provided by the regulations in force, and that law governs the specific processing operation or set of operations concerned and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of adopting the respective legal basis, the provisions of par. (1) – (3) of this article shall not apply, unless the regulations provide otherwise.

7. If necessary, the controller shall carry out an analysis to assess whether the data processing takes place in accordance with the data protection impact assessment, at least when there is a change in the risk posed by the processing operations.

(8) The Center shall draw up and publish a list of the types of processing operations which are subject to the requirement to carry out a data protection impact assessment, in accordance with para. (1).

9. The Center may also establish and make available to the public a list of the types of processing operations for which a data protection impact assessment is not required.

[Art.23 in wording of LP175 of 11.11.21, MO302-306/10.12.21 art.431; in force 10.01.22]

Article 24. Prior consultation – Law no. 133/2011 on personal data protection

(1) The controller shall consult the Center before processing the data if the assessment of the impact on data protection, provided in art. 23, indicates that the processing would generate an increased risk, and the controller considers that the risk cannot be mitigated by reasonable means in terms of available technologies and implementation costs.

(2) If the Center considers that the processing provided in par. (1) would violate this law, especially when the risk has not been sufficiently identified or mitigated by the controller, the Center shall provide written advice to the controller and, where appropriate, to the processor the request for consultation, as well as may use any of the powers mentioned in art. 20. That period may be extended by six weeks, taking into account the complexity of the intended processing. The Center shall inform the controller and, where applicable, the processor, within one month of receipt of the request, of such extension, giving detailed and specific reasons for the delay. These periods may be suspended until the Center has obtained the information it requested for consultation.

(3) If the controller consults the Center in accordance with par. (1), it shall provide the Center with:

a) where applicable, the appropriate responsibilities of the controller (s) and the controllers involved in the data processing activities, in particular for processing within a group of undertakings;

b) the intended purposes and means of processing;

c) the measures and guarantees provided for the protection of the rights and freedoms of data subjects, in accordance with this law;

d) as the case may be, the contact details of the data protection officer;

e) the impact assessment of data protection, provided in art. 2. 3;

f) other relevant and necessary information additionally requested by the Center.

[Art.24 in wording of LP175 of 11.11.21, MO302-306/10.12.21 art.431; in force 10.01.22]