§ 43 LDSG SH
Data protection impact assessment
(1)Where a type of processing, in particular using new technologies, is likely, given the nature, scope, circumstances and purposes of the processing, to result in a high risk to the rights of data subjects, the controller shall carry out an assessment of the impact of the envisaged processing operations on data subjects prior to the processing.
(2)A single data protection impact assessment may be carried out to assess several similar processing operations with similarly high risk potential.
(3)The controller shall involve the data protection officer in carrying out the impact assessment.
(4)The impact assessment shall take into account the rights of the data subjects affected by the processing and shall contain at least the following: 1. a systematic description of the envisaged processing operations and the purposes of the processing, 2. an assessment of the necessity and proportionality of the processing operations in relation to their purpose, 3. an assessment of the risks to the rights of the data subjects, and 4. the measures envisaged to address existing risks, including the safeguards, security measures and procedures through which the protection of personal data is to be ensured and compliance with the statutory requirements is to be demonstrated.
(5)Where necessary, the controller shall carry out a review of whether the processing complies with the measures resulting from the impact assessment. zur Einzelansicht § 43