§ 52 ThürDSG
Conducting a data protection impact assessment
(1)(Article 27 of Directive (EU) 2016/680)
(2)Where a form of processing, in particular using new technologies, is likely, due to its nature, scope, circumstances and purposes, to result in a high risk to the rights and interests of data subjects, the controller shall carry out an assessment of the impact of the envisaged processing operations on data subjects prior to the processing.
(3)A single data protection impact assessment may be carried out for the examination of several similar processing operations with a similarly high risk potential.
(4)The controller shall involve the data protection officer in the conduct of the data protection impact assessment.
(5)The data protection impact assessment shall take into account the rights of the data subjects affected by the processing and shall contain at least the following: 1. a systematic description of the envisaged processing operations and the purposes of the processing, 2. an assessment of the necessity and proportionality of the processing operations in relation to the purpose, 3. an assessment of the risks to the rights and interests of the data subjects, and 4. the measures intended to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with the legal requirements.
(6)Where necessary, the controller shall carry out a review to ascertain whether the processing is in accordance with the specifications resulting from the data protection impact assessment. zur Einzelansicht § 52