§ 24 DSG NRW
Data protection impact assessment
(1)A data protection impact assessment pursuant to Article 35(1), first sentence, of Regulation (EU) 2016/679 should not be carried out insofar as such an assessment has already been carried out for processing that is adopted in essentially unchanged form by the competent supreme Land authority or by a public body authorised by it.
(2)The supreme Land authorities may make the results of data protection impact assessments carried out by them or by authorities authorised by them available to the public bodies within their area of responsibility, insofar as the information would not jeopardise the security of IT systems.
(3)Where a public body develops an automated procedure intended for use by public bodies, it may, where the conditions of Article 35(1) of Regulation (EU) 2016/679 are met for this procedure, carry out the impact assessment pursuant to Articles 35 and 36 of Regulation (EU) 2016/679. Insofar as the procedure is adopted by public bodies in essentially unchanged form, a further impact assessment by the adopting public bodies may be dispensed with.
(4)The State Commissioner for Data Protection and Freedom of Information