Suc­cessful­ly per­forming data pro­tec­tion impact assessments

The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) pro­vi­des an obli­ga­ti­on to con­duct a data pro­tec­tion impact assess­ment (DPIA) for cer­tain high-risk pro­ces­sing of per­so­nal data. This is more often the case in prac­ti­ce than one might think at first glan­ce. A DPIA may be requi­red not only for video sur­veil­lan­ce but for ever­y­day ope­ra­ti­ons in com­pa­nies such as for the use of Micro­soft 365 or other cloud ser­vices. The imple­men­ta­ti­on of new obli­ga­ti­ons for the pro­tec­tion of whist­le­b­lo­wers resul­ting from the new Whist­le­b­lower Pro­tec­tion Act also regu­lar­ly neces­si­ta­tes a DPIA.

Micro­soft 365 and other cloud services

The use of Micro­soft 365 con­ti­nues to be per­mis­si­ble under data pro­tec­tion law in public bodies and com­pa­nies, pro­vi­ded cer­tain pre­cau­ti­ons are taken. This is also true for many other cloud ser­vices. Howe­ver, the sheer volu­me of data pro­ces­sed and the data pro­tec­tion risks invol­ved in the use of cloud ser­vices often neces­si­ta­te DPI­As, which can also ser­ve as an ele­men­ta­ry buil­ding block of data pro­tec­tion compliance.


Many com­pa­nies are curr­ent­ly con­cer­ned about data pro­tec­tion when imple­men­ting the Whist­le­b­lower Pro­tec­tion Act. If an enter­pri­se has more than 50 employees, an obli­ga­ti­on exists to set up inter­nal report­ing chan­nels. Com­pa­nies with gene­ral­ly 50 to 249 employees have until 17 Decem­ber 2023 to do so. For all others, the obli­ga­ti­on exists three months after the pro­mul­ga­ti­on of the law in the Bun­des­ge­setz­blatt, the fede­ral law gazet­te. Whist­le­b­lower reports may con­tain sen­si­ti­ve data rela­ting to the whist­le­b­lo­wers them­sel­ves, but also to the per­sons who are accu­sed of pos­si­ble vio­la­ti­ons of the law. Par­ti­cu­lar­ly if inter­nal report­ing chan­nels are digi­tal, a DPIA makes sen­se and is usual­ly requi­red by law.

What do com­pa­nies face if they do not comply?

If a DPIA is not car­ri­ed out, even though it is requi­red by law, the­re is a risk of fines from the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. For exam­p­le, a fine of EUR 1.1 mil­li­on was impo­sed on an auto­mo­ti­ve manu­fac­tu­rer in 2022 for seve­ral data pro­tec­tion vio­la­ti­ons. One of the data pro­tec­tion vio­la­ti­ons repri­man­ded was a lack of a DPIA. Fur­ther­mo­re, it is in the well-conceived self-interest of com­pa­nies to con­duct DPI­As in cases of ris­ky pro­ces­sing ope­ra­ti­ons. In the event of inves­ti­ga­ti­ons and queries by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, a DPIA pro­vi­des com­pre­hen­si­ve docu­men­ta­ti­on that can be used to demons­tra­te data pro­tec­tion com­pli­ance in the company.

Data pro­tec­tion impact assess­ments in practice

Artic­le 35(7) GDPR expli­cit­ly regu­la­tes what assess­ments must con­tain. This includes, at a mini­mum, a sys­te­ma­tic descrip­ti­on of the plan­ned pro­ces­sing ope­ra­ti­ons, an assess­ment of the pro­por­tio­na­li­ty and risks to data sub­jects, and plan­ned miti­ga­ti­on mea­su­res to address the risks. For more infor­ma­ti­on, see our one-page report on privacy-compliant use of Micro­soft 365.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.