DPIA policy

2. And the other one, I was pretty sure that the company might be data controller and data processor, but more I`m reading about GDPR, I'm starting to think that we can be only one of them?

Answers:

1. A DPIA is an assessment of the impact of envisaged data processing operations on the protection of personal data, and more particularly an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Under the GDPR, controllers will be required to undertake DPIAs prior to data processing - in particular processing using new technologies - which is likely to result in a high risk for the rights and freedoms of individuals (Article 35).

The GDPR provides the following non-exhaustive list of cases in which DPIAs must be carried out:
· automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects;
· processing on a large scale of special categories of data or of data relating to criminal convictions and offences;
· systematic monitoring of a publicly accessible area on a large scale.

To find out more about DPIAs check out our webinar “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDP” (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).

2. You can't be a processor and a controller at the same time for the same processing activities. However you can be a controller for certain activities for example HR management of your own employees and a processor for the personal data entrusted to you by other data controllers.

To find out more about controllers and processors check out our article “EU GDPR controller vs. processor – What are the differences?” (https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/).