ePrivacy’s data protection experts have been discussing the question of the necessity of a data protection impact assessment (DPIA) for classic models of the online marketing industry, especially for a DMP. A DPIA seems to be necessary according to the current state of affairs.
This is not only the result of the recently published DPIA blacklists by German authorities (e.g. the BayLDA), but also of the remarks of Art. 29 Group.
At this point the question of whether personal data is processed at all in the context of a DMP may be discussed and the discussion on this concern is not finished yet. Apart from that, the “comprehensive profiles on interests, etc.” mentioned in paragraph 7 of the blacklist as well as the big data analyses mentioned in paragraph 8 and the associated data accumulation from third-party sources are currently being drawn up. Most likely therefore a DPIA is required for the operating of a DMP.
It is important to know:
- A company that uses DMP services from a third party still has to carry out its own DPIA. However, most of the information from the existing DPIA from a third party can be taken over to set up the own DPIA.
- A DPIA does not necessarily has to be carried out by external parties. The “responsible body” has a scope of discretion how to carry out its DPIA.
- DPIAs for DMPs can be developed based on a standardized model, ePrivacy conducts DPIAs and has already accomplished a large number of DPIAs for different business models.
- ePrivacy is not aware of any cases in which a DPIA would have been necessary in connection with a CRM or personnel databases. This may apply if the CRM data is linked to a DMP.
Do you have any further questions about a DPIA or need any support on this particular matter? Please feel free to contact us!