Our remarks • When collecting data from the data subject • When processing is likely to result in a high risk through capturing video, make sure to properly to the rights and freedoms of the data subjects, inform the data subject of the nature and purpose performing a data protection impact assessment of the processing as well as their rights. This ensures (DPIA) is required. While the case in question does fair and transparent processing. In the case in not specify why the data processing was ‘likely to question, a sign on the car containing a camera result in a high risk to the rights and freedoms of symbol as well as the mandatory information is natural persons’, the use of new technologies (e.g., likely to be adequate. the use of new technologies in innovative ways or the use of new technologies in combination) ° Note: This practice differs from Danish DPA decisions, is generally an indicator that a DPIA would be in which personal data collected through video necessary. A DPIA should at least contain: surveillance is regulated through GDPR, Article 14, thereby allowing for the exemption from the ° A description of the envisaged processing operations obligation to inform the data subject, if doing so including purposes and, where applicable, legitimate proves impossible or involves a disproportionate interests, effort. This would likely be the case when the data ° An assessment of the necessity and proportionality, subjects are road users. • Any processing of personal data carried out on ° An assessment of the risks of the rights and freedoms the behalf of a controller must rely on a data of data subjects, processing agreement. The processor must prove ° The measures envisaged to address these risks. appropriate technical and organizational measures to ensure compliance with the GDPR, and the • Seek advice with your designated Data Protection data processing agreement must be clear and Authority when performing a DPIA. comprehensive. • Make sure to keep record of all processing activities containing the purpose of the processing, a description of categories of personal data, the categories of third-party disclosures, third country transfers, envisaged time limits for erasure and, where possible, a general description of technical and organizational security measures. Published: 26-07-22 Journal number: N/A 49