§ 67 BDSG
Conducting a data protection impact assessment
(1)Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the intended processing operations on the protection of personal data.
(2)The assessment referred to in Subsection (1) shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the provisions of this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
(3)The Federal Commissioner shall be consulted during the preparation of a legislative proposal to be adopted by the German Bundestag or of a regulatory measure based on such a proposal which relates to the processing of personal data, a data protection impact assessment shall be carried out.
(4)The controller shall review whether the processing of personal data is in compliance with the data protection impact assessment at the latest when there is a change in the risk represented by the processing operations.
(5)The assessment referred to in Subsection (1) shall be documented.