Recital 90

In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

This recital of the General Data Protection Regulation clarifies article 35 GDPR (Data protection impact assessment).*

* The reference between articles and recitals is based on the professional assessment of

Articles of the GDPR

CHAPTER X – Delegated acts and implementing acts (Art. 92 – 93)