49—Processing activities requiring data protection impact assessment.

49.

(1) For the purpose of section 31 (1) of the Act, processing operations considered to result in high risks to the rights and freedoms of a data subject include —

(a)  automated decision making with legal or similar significant effect that includes the use of profiling or algorithmic means or use of sensitive personal data as an element to determine access to services or that results in legal or similarly significant effects;

(b)  use of personal data on a large-scale for a purpose other than that for which the data was initially collected;

(c)  processing biometric or genetic data;

(d)  where there is a change in any aspect of the processing that may result in higher risk to data subjects;

(e)  processing sensitive personal data or data relating to children or vulnerable groups;

(f)  combining, linking or cross-referencing separate datasets where the data sets are combined from different sources and where processing is carried out for different purposes;

(g)  large scale processing of personal data;

(h)  a systematic monitoring of a publicly accessible area on a large scale;

(i)  innovative use or application of new technological or organizational solutions; or

(j)  where the processing prevents a data subject from exercising a right.

(2) A data processor or data controller shall, prior to processing data under sub-regulation (1) conduct a data protection impact assessment.

111  PART VIII—DATA PROTECTION IMPACT ASSESSMENT