§ 62 HDSIG
Conducting a Data Protection Impact Assessment
(1)Where a type of processing, in particular using new technologies, is likely, given the nature, scope, circumstances and purposes of the processing, to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing. § 59 para. 1 sentence 2 shall apply accordingly.
(2)A single data protection impact assessment may be carried out for the investigation of several similar processing operations with similarly high risks.
(3)The controller shall involve the data protection officer in the conduct of the impact assessment.
(4)The impact assessment shall take into account the rights and legitimate interests of the data subjects and other affected persons and shall contain at least the following: 1. a systematic description of the envisaged processing operations and the purposes of the processing, 2. an assessment of the necessity and proportionality of the processing operations in relation to their purpose, 3. an assessment of the risks to the rights and freedoms of the data subjects, and 4. the measures envisaged to address the risks, including safeguards, security measures and procedures by which the protection of personal data is ensured and compliance with legal requirements is demonstrated.
(5)Where necessary, the controller shall carry out a review to assess whether the processing is performed in accordance with the impact assessment. zur Einzelansicht § 62