RIVISTA DI SCIENZE UMANE E SOCIALI
ETHICA SOCIETAS-Rivista di scienze umane e sociali
Massimiliano Mancini NOTIZIE Privacy

THE IMPACT ASSESSMENT CANNOT LAST INDEFINITELY AND MUST ALWAYS HAVE A DEFINED EXPIRY DATE – Massimiliano Mancini

Image default

Accountability is ensured through regular updates, because even if the video surveillance system does not change, the recorded context may vary

Massimiliano Mancini

Abstract: The Data Protection Impact Assessment (DPIA) is an essential tool within the data protection framework established by Regulation (EU) 2016/679 for processing operations that present a high risk to the rights and freedoms of natural persons. This contribution examines the legal necessity of updating the DPIA as an expression of the principle of accountability, highlighting its dynamic and procedural nature. With particular reference to video surveillance processing and to processing carried out for public security and judicial police purposes, the article shows how changes in context, purposes, or processing conditions may affect the lawfulness of the processing itself, potentially leading to the involvement of special categories of personal data. The DPIA is therefore reconstructed as a continuous risk management process, whose failure to remain up to date entails significant risks of non-compliance and liability for the data controller.

Keywords: #DPIA #PrivacyImpactAssessment #GDPR #Accountability #PersonalDataProtection #VideoSurveillance #DataProtection #PrivacyCompliance #SpecialCategoriesOfData #DataSecurity #DPO #RiskAssessment #PrivacyByDesign #EDPB #DataProtectionAuthority #DataProcessing #CyberSecurity #RegulatoryCompliance #MassimilianoMancini #ethicasocietas #ethicasocietasjournal #scientificjournal #humanities #socialsciences #ethicasocietasupli #italianlocalpoliceunion

versione italiana

The Impact Assessment – DPIA

The Data Protection Impact Assessment (DPIA) is a compliance requirement that, as a general rule, is mandatory whenever processing operations involving new technologies are carried out and are likely to result in a high risk to the rights and freedoms of natural persons (Article 35 of Regulation (EU) 2016/679 – GDPR, Recital 85). This requirement also applies to processing carried out for judicial police and public security purposes (Article 23 of Legislative Decree No. 51/2018, Recital 53 of Directive (EU) 2016/680).

In any case, a DPIA is always mandatory for all processing operations involving any video surveillance system deployed in public areas (EDPB Guidelines 3/2019, point 2).

The updating of the DPIA is therefore not a discretionary option, but a legal and operational necessity, failure of which renders the assessment ineffective and exposes the data controller to significant risks, including administrative sanctions.

The Legal Basis for Updating the DPIA

The updating of the DPIA, like all personal data protection measures, is a cornerstone of compliance with the principle of accountability (Article 24(1) GDPR and Article 5(2) GDPR). It is therefore necessary not only to carry out, but also to be able to demonstrate, that the security of processing operations is regularly reviewed and that any resulting risk mitigation measures are duly updated in all cases and for all purposes, including processing operations falling outside the scope of the GDPR (Article 15 of Legislative Decree No. 51/2018).

In particular, the updating of the data protection impact assessment is required by applicable law in order to verify that personal data processing is carried out in accordance with the relevant provisions and to assess whether changes in risk levels arise (Article 35(11) GDPR).

This obligation also applies to processing carried out for the purposes of prevention, investigation, detection, and prosecution of criminal offences, as well as for the execution of criminal penalties and the safeguarding against and prevention of threats to public security. In such cases, the law requires continuous review and updating of data protection measures by the data controller.

It follows that a non-updated DPIA is, in fact, legally inadequate.

The Objective Need to Update the DPIA

The need to update the DPIA does not arise solely from changes to the video surveillance system itself. Even where the system remains unchanged, the risk assessment and the lawfulness of the processing evaluated in the DPIA may no longer be valid, as numerous other elements may vary and undermine its validity, including, by way of example:

1. Changes to the Processing

  • introduction of new purposes;

  • expansion of the categories of personal data processed;

  • involvement of new categories of data subjects;

  • change in the legal basis for processing;

  • need to submit the DPIA to the supervisory authority for prior consultation due to increased risk, or the adoption of new tools requiring such consultation (e.g. drones, body-worn cameras).

2. Technological Changes

  • adoption of new software or platforms;

  • migration to cloud services;

  • use of artificial intelligence, profiling, or automated decision-making systems;

  • increased interoperability or interconnection of systems.

3. Risk Evolution

  • increase in the volume of data processed;

  • new threat scenarios (cyber risk, data breaches);

  • negative outcomes of audits or inspections;

  • personal data breaches.

4. Organisational or Regulatory Changes

  • organisational restructuring;

  • mergers or outsourcing;

  • new EDPB guidelines or decisions of the Data Protection Authority;

  • significant developments in case law.

Moreover, as frequently occurs, the context captured by the same video surveillance system may change over time. Consider, for example, a garage monitored by a camera and initially assessed as lawful and low-risk within the DPIA, which is subsequently converted into a place of worship, such as a mosque; or a commercial premises that, after approval of the impact assessment, becomes the headquarters of a trade union or political movement.

In all such cases, the footage captured by the video surveillance system would become unlawful, as the processing would involve special categories of personal data (Article 9 of Regulation (EU) 2016/679), rendering the processing unlawful or, in any event, high-risk in the absence of appropriate measures to be defined within the DPIA itself.

The Risks of an Outdated DPIA

An obsolete DPIA exposes an organisation to multiple risks, including:

  • violation of the accountability principle;

  • administrative fines of up to €10,000,000 (Article 83 GDPR);

  • civil liability for damages suffered by the individuals recorded (Article 82 GDPR);

  • increased liability in the event of a data breach;

  • loss of effectiveness of security measures (Article 32 GDPR);

  • reputational damage and loss of trust by data subjects.

Supervisory authorities have repeatedly clarified that an “outdated” DPIA is, in practice, equivalent to no DPIA at all.

DPIA as a Continuous Process, Not a Document

The DPIA must be conceived as a cyclical process, integrated into compliance management and information security systems. An effective approach includes:

  • scheduled periodic reviews;

  • event-driven updates;

  • traceability of decisions;

  • integration with risk assessment and ISO/IEC 27001 frameworks.

Conclusions

Updating the DPIA therefore constitutes a guarantee of reliability and lawfulness of processing, representing a concrete expression of the accountability principle (Article 24(2) GDPR). This applies even where no changes have occurred and the periodic update merely confirms the previous assessment.

For this reason, the DPIA must provide for a defined and explicit expiry date, allowing for periodic verification of the relevance and adequacy of the risk assessment, also as a permanent process for verifying adequacy as required by law (Article 32(1)(d) GDPR).

Updating the DPIA means consciously managing risk, demonstrating substantive compliance with the GDPR, and effectively safeguarding the rights and freedoms of data subjects. In a context characterised by rapid technological and regulatory evolution, a static DPIA is not only ineffective, but dangerous.

True compliance does not lie in merely having “carried out” a DPIA, but in keeping it alive.

NOTES:

[1] Regulation (EU) 2016/679 (GDPR), Article 35 (Data Protection Impact Assessment): “1. Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. […omissis…].

[2] Regulation (EU) 2016/679 (GDPR), Recital 85: “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it should be accompanied by reasons for the delay and the information may be provided in phases without further undue delay.

[3] Legislative Decree No. 51/2018, Article 23 (Data Protection Impact Assessment): “1. Where processing, due to the use of new technologies and having regard to its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of its impact on the protection of personal data. […omissis…].

[4] Directive (EU) 2016/680, Recital 53: “The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires appropriate technical and organisational measures to ensure compliance with this Directive. The implementation of such measures should not depend solely on economic considerations. In order to be able to demonstrate compliance with this Directive, the controller should adopt internal policies and implement measures that adhere in particular to the principles of data protection by design and data protection by default. Where the controller has carried out a data protection impact assessment pursuant to this Directive, its results should be taken into account when developing the above-mentioned measures and procedures. The measures could include, inter alia, the use of pseudonymisation as early as possible. The use of pseudonymisation for the purposes of this Directive may be instrumental in facilitating, in particular, the free movement of personal data within the area of freedom, security and justice.”

[5] EDPB – European Data Protection Board. Guidelines 3/2019 on processing of personal data through video devices. Version 2.0, 29 January 2020. Point 2 – Scope: “7. The systematic and automated monitoring of a specific space by optical or audiovisual means, mostly for the purpose of protecting property or safeguarding the life and health of individuals, has become a significant phenomenon in modern times. This activity involves the collection and storage of graphic or audiovisual information on all persons entering the monitored space who are identifiable by their appearance or by other specific elements. The identity of such persons can be established on the basis of the information thus collected. This type of surveillance also allows further processing of personal data relating to the presence and behaviour of persons in the monitored area. The potential risk of misuse of such data increases with the size of the monitored area and the number of persons frequenting it. This is reflected in Article 35(3)(c) GDPR, which requires the performance of a data protection impact assessment in the case of systematic monitoring on a large scale of a publicly accessible area, and in Article 37(1)(b) GDPR, which requires controllers to designate a data protection officer where the nature of the processing requires regular and systematic monitoring of data subjects.

[6] Regulation (EU) 2016/679 (GDPR), Article 24 (Responsibility of the controller): “[…] Those measures shall be reviewed and updated where necessary.

[7] Regulation (EU) 2016/679 (GDPR), Article 5 (Principles relating to processing of personal data): “2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

[8] Legislative Decree No. 51/2018, Article 15 (Obligations of the controller): “1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure that processing is performed in accordance with the provisions of this Decree. 2. The measures referred to in paragraph 1 shall be reviewed and updated where necessary and, where proportionate to the processing activities, shall include the implementation of appropriate data protection policies by the controller.

[9] Regulation (EU) 2016/679 (GDPR), Article 35 (Responsibility of the controller): “11. Where necessary, the controller shall carry out a review to assess whether processing of personal data is performed in accordance with the data protection impact assessment at least where there is a change of the risk represented by processing operations.

[10] Regulation (EU) 2016/679 (GDPR), Article 83 (General conditions for imposing administrative fines): “4. In accordance with paragraph 2, infringements of the following provisions shall be subject to administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43 […omissis…].

[11] Regulation (EU) 2016/679 (GDPR), Article 82 (Right to compensation and liability): “1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. […omissis…].

[12] Regulation (EU) 2016/679 (GDPR), Article 32 (Security of processing): “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, […omissis…].

[13] Regulation (EU) 2016/679 (GDPR), Article 32: “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, inter alia, as appropriate: […omissis…] (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

LATEST 5 CONTRIBUTIONS BY THE SAME AUTHOR

THE FEMICIDE OF THE COMMANDER WHO KILLED THE FEMALE OFFICER

THE MEMORY OF THE FIRST INVESTIGATIVE JOURNALIST

MAY 1, 1947, THE PORTELLA DELLE GINESTRE MASSACRE

A HISTORIC TURNING POINT: LAW 181/2025 RECOGNIZES THE SPECIFIC NATURE OF FEMICIDE

11/23/1980 — 45 YEARS AGO IRPINIA FELL AND THE ENTIRE NATION DISCOVERED ITS FRAGILITY

LATEST CONTRIBUTIONS ON PRIVACY

CAMERA TRAPS THAT RECORD DATA LOCALLY, EVEN WHEN ENCRYPTED, ARE UNLAWFUL

THE FRIA OBLIGATION FOR LOCAL POLICE

LATEST 5 CONTRIBUTIONS

MADURO IN MANHATTAN: WHEN JUSTICE AND GEOPOLITICS INTERTWINE

ORGANIZED CRIME IN LOCAL GOVERNMENTS, BETWEEN APPARENT LEGALITY AND LACK OF OVERSIGHT

BLACK PEDAGOGY AND LEARNED HELPLESSNESS: HOW EDUCATIONAL RIGIDITY FORGES VICTIMS, PERPETRATORS, AND PASSIVE CITIZENS

RAID IN VENEZUELA: THE USA CAPTURE MADURO AND HIS WIFE TO PUT THEM ON TRIAL

SAINT SEBASTIAN, PATRON SAINT OF ITALIAN LOCAL POLICE

Ethica Societas is a free, non-profit review published by a social cooperative non.profit organization
Copyright Ethica Societas, Human&Social Science Review © 2026 by Ethica Societas UPLI onlus.
ISSN 2785-602X. Licensed under CC BY-NC 4.0

Related posts

I PRESUPPOSTI DELLE ORDINANZE DEL SINDACO, Domenico Carola

@Direttore

ULTIMI GIORNI PER LIBERTY TORINO CAPITALE, Lidia Cassetta

@Direttore

USO ILLEGITTIMO DELLE FOTOTRAPPOLE E INAMMISSIBILITÀ DA PARTE DI AZIENDE PRIVATE Massimiliano Mancini

@Direttore