Data Protection Impact Assessments
Methodological framework for conducting Data Protection Impact Assessments (DPIA) under Law 21.719, establishing activation criteria, analysis procedures, and prior consultation mechanisms with the Agency.
Data Protection Impact Assessment
Mandatory when processing poses high risk to rights and freedoms. Privacy by design tool that identifies, analyzes, and mitigates risks before implementation.
Mandatory DPIA Scenarios
Systematic and Comprehensive Evaluation
- Automated profiling
- Scoring systems and automated decisions
- Predictive behavior analysis
Large-Scale Sensitive Data
- Massive health data processing
- Biometric data for identification
- Sexual orientation information
Systematic Observation
- Video surveillance in public spaces
- Continuous geolocation
- Online behavior monitoring
Impact Assessment Phases
Systematic Processing Description
Comprehensive documentation of the nature, scope, context, and purposes of the projected processing, including involved technologies.
Key Elements
- Data categories and sources
- Technologies and algorithms used
- Data flows and recipients
Necessity and Proportionality Assessment
Analysis of the legitimate purpose of processing and proportionality of means employed regarding pursued objectives.
Proportionality Test
- Suitability of means
- Necessity (less intrusive alternatives)
- Proportionality stricto sensu
Risk Assessment
Systematic identification and analysis of risks to data subjects' rights and freedoms, considering probability and impact.
Risk Categories
- Unauthorized access or disclosure
- Unwanted modification
- Disappearance, destruction, or loss
Mitigation Measures
Design and implementation of technical and organizational safeguards to reduce identified risks to acceptable levels.
Types of Measures
- Technical: encryption, pseudonymization
- Organizational: policies, training
- Legal: contracts, terms of use
Assessment Methodology and Tools
Effective DPIA requires structured methodologies and specialized tools that ensure comprehensive analysis and technically sound, legally robust results.
Data Flow Mapping
Visual representation of all personal data flows, from collection to deletion, identifying critical points and system interfaces.
Risk Matrix
Quantitative tool to assess probability and impact of each identified risk, enabling objective prioritization of mitigation measures.
Stakeholder Consultation
Structured consultation process with data subjects, technical experts, and representatives of relevant interest groups for the assessed processing.
Independent Validation
Review by external specialists to ensure objectivity, comprehensiveness, and technical quality of the conducted assessment.
Prior Consultation with the Agency
When DPIA identifies high risks that cannot be adequately mitigated, prior consultation with the Data Protection Agency is mandatory before starting processing.
Frequently asked questions
What is a Data Protection Impact Assessment (DPIA)?
It is the prior analysis the controller must perform when processing entails high risk to data-subject rights. Its goal is to identify risks, assess their likelihood and impact, and set technical and organisational measures to mitigate them before processing begins.
When is a DPIA mandatory under Law 21.719?
When sensitive data is processed at large scale, public-area systematic monitoring is performed, profiling with significant legal effects on subjects is carried out, or new high-risk technologies are used. The Agency may publish lists of operations requiring it.
What minimum content must the DPIA cover?
Description of processing and its purposes, assessment of necessity and proportionality, identification of risks to subjects, planned measures to address them and mechanisms for consulting stakeholders where appropriate. It must be documented and retained for supervision.
When must the Agency be consulted before processing?
When the DPIA shows the processing entails high residual risk even after mitigating measures. Prior consultation lets the Agency warn the controller and, where appropriate, prevent processing from starting. It is an extra safeguard over the general regime.
What happens if high-risk processing starts without a DPIA?
It is a serious breach of Law 21.719 with fines up to 10,000 UTM. It also weakens the defence against further charges and compromises lawful continuation of processing. Lack of DPIA also signals accountability failings of the controller.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
