13 provisions of the GDPR stipulate that the controller must carry out risk assessments or risk impact assessments in order to determine whether its own data processing is lawful, whether its own technical and organisational measures are appropriate or whether it is subject or not subject to certain obligations:
Art. 24 I: Taking into account the risks for the rights and freedoms of natural persons the controller shall implement appropriate measures.
Art. 25 I: Taking into account the risks for the rights and freedoms of natural persons the controller shall implement appropriate measures.
Art. 27 II a: The obligation to designate a representative shall not apply to processing which is unlikely to result in a risk to the rights and freedoms of natural persons.
Art. 30 V: The obligation to maintain a record of processing activities does not cease if the processing is likely to result in a risk to the rights and freedoms of data subjects.
Art. 32 I: Taking into account the risk for the rights and freedoms of natural persons the controller and the processor shall implement appropriate measures.
Art. 32 II: In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing.
Art. 33 I 1: In the case of a personal data breach, the controller shall notify the breach to the supervisory authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Art. 34 I: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject.
Art. 34 III b: The communication to the data subject shall not be required if the controller has taken measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
Art. 35 I: Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Art. 36 I: The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Art. 39 II: The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations.
Art. 49 I a: Transfers of personal data to a third country are permitted with the explicit consent of the data subject, only after the data subject has been informed about the possible risks of such transfers.
The term “risk” is used in 28 Recitals: 9, 15, 28, 35, 38, 39, 51, 65, 71, 74, 75, 76, 77, 80, 81, 83, 84, 85, 86, 89, 90, 91, 94, 96, 98, 116, 122 and 144 GDPR.