DPIA for private detective agencies

As a private detective agency, you may have to carry out a data protection impact assessment (DPIA). This depends on the data you process.

On this page

What is a DPIA?

A DPIA is an instrument for identifying and listing the privacy risks of a data processing operation beforehand. And for subsequently taking measures to mitigate those risks. You have to decide for yourself whether you have to carry out a DPIA

Examples of a mandatory DPIA under the GDPR

The General Data Protection Regulation (GDPR) says that you must carry out a DPIA in any case if you:

  • systematically and comprehensively evaluate personal aspects of people (such as professional performance, economic situation, health, personal interests, reliability, behaviour, location, movements) based on automated processing of their data, including profiling, and based on such processing take decisions that have consequences for these people;
  • process special personal data or criminal data on a large scale;
  • systematically and on a large scale track people in a publicly accessible area, for example using camera surveillance.

Mandatory DPIA list

In addition, the Dutch Data Protection Authority (Dutch DPA) has drawn up a DPIA list (in Dutch). This list contains processing operations for which carrying out a DPIA is mandatory before you start processing. Covert investigation by private detective agency is also on that list.

Prior consultation

Does the DPIA show that your personal data processing entails a high risk? And are you unable to find sufficient measures to limit this risk? In that case, you have to consult with the Dutch DPA before starting the processing. This is called a prior consultation.