§ 39 NDSG
Data protection impact assessment
(1)Where a type of processing, in particular using new technologies, is likely, given the nature, scope, circumstances and purposes of the processing, to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing.
(2)A single data protection impact assessment may be carried out for the investigation of several similar processing operations with similarly high risks.
(3)1The impact assessment shall give due consideration to the rights and legitimate interests of the persons affected by the data processing and other persons concerned. 2It shall be documented in writing and shall contain at least
(4)a systematic description of the envisaged processing operations and the purposes of the processing,
(5)an assessment of the necessity and proportionality of the processing operations in relation to the purpose,
(6)an assessment of the risks to the rights and freedoms of the data subjects, and
(7)the measures envisaged to address existing risks, including the safeguards, security measures and procedures through which the protection of personal data is to be ensured and compliance with the statutory requirements is to be demonstrated.
(8)The controller shall seek the advice of the data protection officer when carrying out the data protection impact assessment.
(9)Where necessary, the controller shall carry out a review of whether the processing complies with the measures resulting from the impact assessment.