As stated in Article 39 (1) of the Law on the Protection of Personal Data (“Life Gazette of RSM” No. 42/20) “When using new technologies for some type of processing, taking into account the nature, scope, context and purposes of the processing , there is a possibility that it will cause a high risk to the rights and freedoms of natural persons before the processing is carried out, the controller is obliged to carry out assessment of the impact of the envisaged processing operations on the protection of personal data.”
The Personal Data Protection Impact Assessment (PPA) is a process that should describe the processing, assess its necessity and proportionality, help manage the risks to the rights and freedoms of natural persons arising from the processing of personal data through their assessment and to foresee measures to deal with those risks.
It is important to emphasize that the PVZLP must be performed before the processing of personal data begins . In fact, compliance with the principle of accountability ( Article 28 of the Personal Data Protection Law ) requires the controller to apply appropriate technical and organizational measures to be able to prove compliance with the GDPR from the very beginning of personal data processing. Among the implementation measures, as provided by the principle of technical and integrated protection of personal data (Data protection by design and by default), are the minimization of the processing of personal data, pseudonymization of personal data, transparency regarding the functions and processing of personal data, enabling the subject of personal data to monitor the processing of personal data and the controller to improve security. PVZLP is a tool that facilitates decision-making regarding the processing of personal data, especially regarding the application of technical and organizational measures that will ensure respect for the rights and freedom of natural persons. Hence, the PVZLP must be performed before processing begins. A QLD should start as early as the design of the machining operation, even when some of the machining operations are still unknown.
The only exception to this general rule is when it comes to already existing processing, which was previously checked by the Agency. In this case, the controller obligatorily implements the PVZLP before making significant changes to some existing personal data processing operations.
