Where a type of processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
A data protection impact assessment shall in particular be required in the case of:
a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
processing on a large scale of sensitive personal data as defined in Article 2 of this Code;
systematic monitoring of a publicly accessible area or service on a large scale, including the monitoring of digital spaces, platforms, or communications services operated by or on behalf of the Principality.
The supervisory authority shall establish and make public a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority may also establish and make public a list of the kinds of processing operations for which no data protection impact assessment is required.
The assessment shall contain at least:
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1;
the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Code, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Where the assessment under paragraph 4 indicates that the processing would result in a high residual risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to processing in accordance with paragraph 7.
The controller shall seek the advice of the supervisory authority where a data protection impact assessment under this Article indicates that the processing would result in a high risk notwithstanding the measures envisaged by the controller. The supervisory authority shall, within a period to be specified by it, provide written advice to the controller and, where applicable, to the processor, and may exercise any of its powers conferred by this Code. The supervisory authority shall in particular advise the controller where the intended processing would infringe this Code, and shall indicate the measures to be taken to bring the processing into compliance.
The controller shall review the data protection impact assessment and, where necessary, update it whenever there is a material change in the risk presented by the processing operations, including a change in the nature, scope, context, or purposes of the processing, or the introduction of new technologies.