Main Categories | Law | GDPR:Balancing Criteria

BC.07 Context of Processing


Any risk assessment required under the GDPR must also take into account the "context of processing". When determining which measures are appropriate to achieve the lawfulness of the processing, there are several weighting parameters. The "context of processing" is one of them. In addition, other GDPR provisions for assessing the risk of data processing are also based on the "context of processing":


Art. 14 III a: The „specific circumstances“ in which the data are processed affect the period within which the controller must inform the data subject.


Art. 24 I 1: The "context of processing" is a criterion for assessing which measures ensure that the processing is carried out in accordance with the GDPR.


Art. 25 I: The "context of processing" is a criterion for assessing which measures are necessary to ensure data protection by design.


Art. 27 II a: The “context of processing” shall be taken into account when determining whether a controller or processor not established in the Union must designate a representative.


Art. 32 I: The "context of processing" must be taken into account when considering what measures will ensure an appropriate level of data security.


Art. 35 I: Whether a data processing poses a high risk to the data subject and therefore requires a data protection impact assessment depends, among other things, on the "context of processing".


Art. 39 II: The data protection officer shall take into account the "context of processing" in the performance of his/her duties. [see also § 7 III German Federal Data Protection Act: „have due account“]


Art. 49 I 2: Where a third country transfer could not be based on adequacy decision or other safeguards, the controller has to assess „all the circumstances surrounding“ the data transfer.


Art. 83 II a: The "scope of processing" also plays a role as a criterion in the decision of a supervisory authority on the imposition of an administrative fine and its amount.


§ 22 II 2 BDSG (German Data Protection Act): The controller must take into account, among other things, the "context of processing" in the measures he must take if he processes data on the basis of § 22 I BDSG in derogation of Art. 9 I GDPR.


§ 26 II 1 BDSG: If the processing of employee data takes place on the basis of consent, the "dependency of the employed persons" existing in the employment relationship and the "circumstances under which the consent was given" are to be taken into account in particular for the assessment of the voluntariness of the consent.


§ 32 I No. 1/III BDSG: The information obligation under Art. 13 III GDPR does not apply, among other things, if the interest of the data subject in the provision of information is to be regarded as low according to the "circumstances of the individual case, in particular with a view to the context in which the data were collected". If the information is not provided, however, the controller must provide it subsequently, taking into account the "specific circumstances of the processing".

Winfried Veil
Related Tiles (0)
Social Media
Last update: 2021-05-22 14:24:29
By: Winfried Veil
Created at: 2021-05-12 21:11:38