Creative Commons

This dissertation aims at carrying out a sample Data Protection Impact Assessment (DPIA) according to the General Data Protection Regulation 2016/679 of the European Parliament and the Council of the European Union (hereafter “GDPR”) for personal da-ta processing operations of a Greek Agency of the Public Sector (A real-life example). In the first part of the thesis Article 35 GDPR on Data Protection Impact Assessment is approached, closing with useful remarks for the DPIA legal requirements. Moreover, specific issues of Article 29 Working Party (hereafter “WP29” ) guidelines on Data Protection Impact Assessment (hereafter “the guidelines”) as last revised and adopted on 4 October 2017 are examined and the methodology of carrying out a DPIA is presented. Additionally, the Agency which a DPIA is being carried out for is described according to ISO 27001/2013. Furthermore, the types, purposes of data processing conducted by the Agency and the consultation stage for the DPIA conductor are illustrated. The thesis proceeds with the identification of the lawful basis of data processing and the identification and assess-ment of relevant privacy risks. The proposed measures for mitigation of the identified risks are presented and analysed. Finally, the data collected are applied to the respective software of CNIL and the out-come is presented in the form of risk mapping.