Art. 14 BayDSG
Data Protection Impact Assessment (on Art. 35 GDPR)
(1)A data protection impact assessment (impact assessment) by the controller may be dispensed with insofar as
(2)such an assessment has already been carried out for the processing operation by the competent State Ministry or a public body authorised by it, and this processing operation is adopted essentially unchanged, or
(3)the specific processing operation is regulated in a legal provision and an impact assessment was already carried out in the legislative procedure, unless otherwise specified in the legal provision.
(4)Where a public body develops an automated procedure intended for use by public bodies, it may, provided the conditions of Art. 35 para. 1 GDPR are met for that procedure, carry out the impact assessment pursuant to Art. 35 and 36 GDPR. Insofar as the procedure is adopted essentially unchanged by public bodies, a further impact assessment by the adopting public bodies may be dispensed with.