Data Protection Impact Assessment
The DPIA process aims at providing assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’ where it is needed the most, i.e. for ‘risky’ processing operations. (text copied from EDPS website)
- Guidelines for determining if data processing is likely to result in “high risk” in which case registration and/or application with the EDPR is required (note: this is also related to assessing proportionality described in Step 1 “Use Case and Goals” resource library of this toolkit). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
An OSCM project that collects data from the “systematic monitoring of a publicly accessible area on a large scale” is required to complete a DPIA and submit to the EDPS for review.
The Data Processing Agreement
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor. (text from Google search result about)
The DPA is all about clear definitions, roles and responsibilities of the data owner and the data processor in a “client vendor” relationship. When a city innovator enters into a business relationship with a solution provider that processes personal data they must complete this agreement.
TADA Principles and Manifesto
At the core of any successful OSCM computer vision project are the ethics regarding data use and reuse. How you, as a government innovator, uphold data ethics in your project will ensure the public best interests are in mind and inform your team how to communicate your ethical data practices. Understanding how Data Ethics relates to the Technical, Legal and Spatial considerations for your project is also important in the beginning stages.
You should be aware that whatever information or data you create in a project that generates data in public spaces or acquires data from people needs to be accessible to the public. Make a plan to publish your data on an open data portal.
Transparency and informing the public about how their data are being used are two basic goals of the GDPR. This article explains what is a privacy notice and offers a privacy notice template to help you comply with the law.
About writing a GDPR compliant privacy notice (template included): https://gdpr.eu/privacy-notice/