DPIA for private detective agencies
As a private detective agency, you may have to carry out a data protection impact assessment (DPIA). This depends on the data you process.
On this page
What is a DPIA?
A DPIA is an instrument for identifying and listing the privacy risks of a data processing operation beforehand. And for subsequently taking measures to mitigate those risks. You have to decide for yourself whether you have to carry out a DPIA.
Examples of a mandatory DPIA under the GDPR
The General Data Protection Regulation (GDPR) says that you must carry out a DPIA in any case if you:
- systematically and comprehensively evaluate personal aspects of people (such as professional performance, economic situation, health, personal interests, reliability, behaviour, location, movements) based on automated processing of their data, including profiling, and based on such processing take decisions that have consequences for these people;
- process special personal data or criminal data on a large scale;
- systematically and on a large scale track people in a publicly accessible area, for example using camera surveillance.
Mandatory DPIA list
In addition, the Dutch Data Protection Authority (Dutch DPA) has drawn up a DPIA list (in Dutch). This list contains processing operations for which carrying out a DPIA is mandatory before you start processing. Covert investigation by private detective agency is also on that list.
Note: This list is not exhaustive. It could be that your processing is not on this list, but that you have to carry out a DPIA all the same.
Prior consultation
Does the DPIA show that your personal data processing entails a high risk? And are you unable to find sufficient measures to limit this risk? In that case, you have to consult with the Dutch DPA before starting the processing. This is called a prior consultation.