Data Protection & GDPR Compliance
Data Protection Impact Assessment (DPIA)
Embedded Files
Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process designed to help identify, assess, and minimize the data protection risks of a project or processing activity. It is a mandatory requirement under Article 35 of the General Data Protection Regulation (GDPR) whenever a data processing activity is likely to result in a high risk to the rights and freedoms of individuals.
A DPIA enables us to ensure that our data processing activities respect the privacy and security of individuals while demonstrating compliance with the GDPR.
When is a DPIA Required?
A DPIA must be conducted when:
Introducing new data processing activities or significantly changing existing ones.
Implementing new technologies.
Performing systematic and extensive profiling.
Conducting automated decision-making with legal or similarly significant effects.
Processing sensitive categories of data (e.g., health, biometrics).
Conducting large-scale processing.
Monitoring publicly accessible areas systematically.
Processing data relating to vulnerable individuals.
At Devoteam Portugal, DPIAs must also be carried out for client projects hosted on our infrastructure, when applicable.
Our DPIA Process
At Devoteam Portugal, we follow a structured Data Protection Impact Assessment (DPIA) Process to ensure full compliance with GDPR requirements. These are its main steps:
Determine the Need for a DPIA: Assess if the processing activity triggers the need for a DPIA.
Initiate the DPIA: Define the scope and objectives of the assessment.
Assess Necessity and Proportionality: Ensure data minimization and adherence to GDPR principles.
Identify and Assess Risks: Evaluate the risks to data subjects and propose mitigation measures.
Document and Review the DPIA: The DPO and the CIO compile the findings into a DPIA report for review and approval.
Consult with Supervisory Authority (if necessary): The DPO engages the CNPD when high residual risks remain.
Approve or Reject the Processing: The DPO decides whether the processing activity can proceed.
Implement Recommendations: Apply all risk mitigation and control measures.
Records and Documentation: The DPO maintains DPIA records securely, in line with retention policies.
Monitoring and Auditing: The DPO ensures continued compliance through regular audits.
For detailed guidance, please refer to our internal procedure: PT-GDPR-PROC.4.0 - Data Protection Impact Assessment (DPIA) Process
Roles and Responsibilities
Compliance Director & Data Protection Officer (DPO): Ensure the DPIA process is followed, review and approve DPIAs, and support project teams.
Head of Area/Unit: Identify and initiate DPIAs, and lead the assessment with the DPO’s support.
Employees: Cooperate during DPIAs when necessary and comply with recommendations.
Have Questions?
For any questions or support regarding DPIAs, reach out to Rute Reizinho (Compliance Director & DPO) at pt.compliance@devoteam.com.
This page contains important compliance-related information for Devoteam Portugal Employees and Contractors. All content is intended for internal use and must be adhered to in accordance with Devoteam's corporate standards and policies.
Last updated: 25/04/2025Author: Rute Reizinho, Compliance Director & DPO at Devoteam Portugal
Last updated: 25/04/2025Author: Rute Reizinho, Compliance Director & DPO at Devoteam Portugal
Report abuse