§ 53 BlnDSG
Conduct of a Data Protection Impact Assessment
(1)Where a form of processing, in particular using new technologies, is likely, on account of the nature, scope, context and purposes of the processing, to result in a substantial risk to the rights of data subjects, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the data subjects.
(2)A single data protection impact assessment may be carried out for the examination of several similar processing operations with a similarly high level of risk.
(3)The controller shall involve the data protection officer in the conduct of the impact assessment.
(4)The impact assessment shall take into account the rights of the data subjects affected by the processing and shall contain at least the following: 1. a systematic description of the envisaged processing operations and the purposes of the processing, 2. an assessment of the necessity and proportionality of the processing operations in relation to their purpose, 3. an assessment of the risks to the rights of the data subjects, and 4. the measures envisaged to address existing risks, including the safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with the legal requirements.
(5)Where necessary, the controller shall carry out a review of whether the processing complies with the requirements resulting from the impact assessment. zur Einzelansicht § 53