Under the European Data Protection Board, which Processing operation would require a Data Protection Impact Assessment (DPIA)?
Under the European Data Protection Board, which Processing operation would require a Data Protection Impact Assessment (DPIA)?
Under the European Data Protection Board (EDPB) and the General Data Protection Regulation (GDPR), a Data Protection Impact Assessment (DPIA) is required when processing activities are likely to result in high risks to the rights and freedoms of individuals, particularly when using new technologies or when large-scale processing is involved. A DPIA is necessary in situations where processing could significantly affect data subjects, such as through profiling, surveillance, or the use of sensitive data.
Online advertising based on purchase/view history on the same site is usually profiling, but if limited to their own users and own platform, it may not cross the threshold for mandatory DPIA