DE4A data protection impact assessment

From DE4A
Jump to navigation Jump to search


Under European data protection law, specifically the GDPR, a DPIA must be conducted whenever “a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. In such cases, prior to initialising the processing operations, the data controller(s) must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Keeping this in mind, and as recommended in the ethics reporting, a DPIA for the DE4A piloting activities was completed in the second year of DE4A, prior to initiating piloting activities. The DE4A DPIA built upon a similar DPIA that was conducted by the European Commission in relation to the draft implementing act for the SDGR. However, it was necessary to conduct a separate DPIA for DE4A, since the scoping of DE4A does not align perfectly with the Commission's regulatory activities: DE4A pilot initiatives exceed the exact scoping of the SDGR.


The DE4A DPIA is aligned to the mandatory topics required by the GDPR. Therefore it contains:

(a) a systematic description of the envisaged processing operations and the purposes of the processing (including the individual pilots)

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes

(c) an assessment of the risks to the rights and freedoms of data subjects

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR

Each of these topics is systematically addressed and described in the current DPIA. It concluded that DE4A operates within the boundaries of data protection law and European ethical standards. The full text of the DPIA as completed at the time of submission of this deliverable is included in Annex I.

As with any DPIA, this document was developed iteratively based on the suggestions and feedback of the DE4A partners, who collectively contributed to the relevant descriptions, and to the identification of risks and mitigation measures. They have validated its contents after its completion. The DPIA will be adapted when processing operations and/or the resulting risks evolve.

To learn more

A full (but static) version of the DPIA is integrated into the initial report on legal and ethical recommendations and best practices,