Data protection impact assessment (DPIA) in the Vaud public sector
A data protection impact assessment is required for processing activities likely to generate a high risk to the rights of data subjects, for example video surveillance, profiling, or automated decisions. The LPrD revision formally introduces this procedure for Vaud public bodies.
A DPIA describes the processing, assesses its necessity and proportionality, identifies the risks for data subjects, and defines measures to reduce them. It is conducted before the processing activity begins. For a public entity, the DPIA is also a governance tool: it documents the choices made and facilitates dialogue with the cantonal commissioner.
