Article 28.04

For purposes of this section, a “data privacy impact assessment” is a process designed to identify the risks and impact of the envisaged processing of personal data, and it comprises —

(a) a systematic description of the envisaged processing and its purpose, including the legitimate interest pursued by the data controller, data processor, or third party;

(b) an assessment of the necessity and proportionality of the processing in relation to the purposes for which the personal data would be processed;

(c) an assessment of the risks to the rights and freedoms of a data subject; and

(d) the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of a data subject and other persons concerned.