§ 14 SDSG
Data protection impact assessment
(1)1A data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679 by the controller may be dispensed with insofar as 1. such an assessment has already been carried out for the processing operation by the competent ministry or a public body authorised by the ministry and the processing operation is adopted essentially unchanged, or 2. the specific processing operation is regulated in a legal provision and a data protection impact assessment was already carried out in the legislative process, unless this is expressly provided for in the legal basis. 2The ministries shall make available to public bodies the results of the data protection impact assessments carried out by them and the public bodies authorised by them.
(2)1Where a public body develops an automated procedure that is also intended for use by other public bodies, it shall carry out the data protection impact assessment pursuant to Articles 35 and 36 of Regulation (EU) 2017/679 where the conditions of Article 35(1) of Regulation (EU) 2016/679 are met for this procedure. 2Insofar as the procedure is adopted by public bodies essentially unchanged, a further data protection impact assessment by the adopting public bodies may be dispensed with. zur Einzelansicht § 14