This article deals with the issue of impact assessment for the protection of personal data. This is a new obligation for the controller. The article presents the essence of impact assessment (DPIA), exclusion from the obligation to carry it out, the prerequisite for mandatory DPIA, the role of the data protection officer and the powers of the supervisory authority. The analysis of legal provisions related to the impact assessment presented here does not refer to specific situations, due to the wide scope for interpreting specific phrases contained in the General Regulation. Nevertheless, the article discusses the issue of conducting data protection impact assessments as one of the most problematic obligations incumbent on the controller, who in practice raises many doubts. The DPIA has been imprecisely regulated by the EU legislator, thus leaving controllers plenty of leeway to interpret the terms used in the General Regulation. In addition, carrying out a DPIA in practice (as a new obligation on entities setting the purposes and means of data processing) can be problematic due to the lack of harmonized methods for conducting a data protection impact assessment. However, controllers cannot assign DPIA implementation to other entities involved in data processing, such as an entity processing personal data on behalf of another. Entities setting the purposes and methods of data processing should not only take into account the provisions of the General Regulation but also a list of data processing operations that are obligatorily subject to DPIA. Controllers fulfilling the obligation to carry out a data protection impact assessment will be obliged by the supervisory authority to demonstrate how to carry out a data protection impact assessment.
ABC bezpieczeństwa danych osobowych przetwarzanych przy użyciu systemów informatycznych, pod red. A. Rudnickiego, Warszawa 2007.
Barta J., Fajgielski P., Markiewicz R., Ochrona danych osobowych. Komentarz, Warszawa 2015.
Drozd A., Zabezpieczenie danych osobowych, Wrocław 2008.
Guzek E., Ślęzak E., Innowacyjna bankowość internetowa. Bank Web 2.0, Warszawa 2012.
Lisiak-Felicka D., Szmit M., Cyberbezpieczeństwo administracji publicznej w Polsce. Wybrane zagadnienia, Kraków 2016.
Lynskey O., The Foundations of EU Data Protection Law, Oxford 2015.
Maciąg R., Reklama w Internecie, w: Zarządzanie reklamą, pod red. B. Nierenberga, Kraków 2015, s. 131–142.
Mednis A., Wymóg oceny skutków przetwarzania w ogólnym rozporządzeniu o ochronie danych, „Monitor Prawniczy” 2016, nr 20: Ogólne rozporządzenie o ochronie danych. Aktualne problemy prawnej ochrony danych osobowych 2016, pod red. G. Sibigi.
Prawa autorskie (c) 2020 Aleksandra Pyka

Utwór dostępny jest na licencji Creative Commons Uznanie autorstwa – Użycie niekomercyjne – Bez utworów zależnych 4.0 Międzynarodowe.