The concept of impact assessment in European privacy and personal data protection law

  • Dariusz Kloza ((PhD) Student)

Student thesis: Doctoral Thesis


This thesis systematically analyses, from the European perspective, the concept of impact assessment as a tool for the governance and management of privacy and personal data, including their protection and promotion.
Evaluation techniques such as impact assessment have already been well-established and widely practised in multiple domains (for example, risk management, and environmental- or technology impact assessment), where they continuously evolve. Impact assessment has in recent decades emerged in the fields of privacy and personal data, where it has quickly gained momentum. Yet, to date, it remains rather an uncharted territory, especially in the legal realm. As a case in point, in the European Union, the General Data Protection Regulation (2016) – aiming at ensuring a high level of protection of individuals – legally obliged data controllers to conduct the process of data protection impact assessment before processing personal data, provided such processing could present a high risk to the rights and freedoms of individuals.
Consistent with the foregoing, this thesis has two objectives. First, it aims to advance the theoretical and legal understanding of the concept of privacy impact assessment. Second, it aims to examine a legal obligation to conduct the assessment process, using data protection impact assessment, as foreseen in the General Data Protection Regulation, as an example.
The thesis is organised in seven chapters, according to the rhetorical device of septem circumstantiae. It takes a multidisciplinary perspective, analysing both conceptual and practical aspects. Having offered a glossary of the key terms in the field, this thesis first argues for a pluralistic understanding of privacy impact assessment (Chapter I). Subsequently, the thesis situates privacy impact assessment amongst the many tools for privacy protection (Chapter II), maps the users of this concept and their perspectives thereon (Chapter III), outlines the reasons for its emergence and use (Chapter IV), and looks at its historical development (Chapter V). The thesis then proposes a framework (conditions and principles) governing the concept of impact assessment and suggests a corresponding method to perform the assessment process (Chapter VI).
Eventually, this thesis takes exclusively a legal perspective on data protection impact assessment (Chapter VII). It sketches the possible interactions between impact assessment and the law, and the venues where these interactions might occur. It articulates those elements of the said new legal obligation to conduct the assessment process that might require authoritative interpretation by a court of law (for example, the concept of a risk to a right or public participation). Following a comparative approach, it then considers whether relevant solutions adopted in European environmental law could be applied mutatis mutandis to privacy and data protection law.
This thesis lays the foundations for the coherent theory of impact assessment in the fields of privacy and personal data, and for the legal understanding of this concept. The thesis has been written on the basis of the law as it stood on 31 August 2019.
Date of Award11 Dec 2019
Original languageEnglish
Awarding Institution
  • Vrije Universiteit Brussel
SupervisorPaul De Hert (Co-promotor), J. Peter Burgess (Co-promotor), Serge Gutwirth (Jury), Eleni Kosta (Jury), Jamal Shahin (Jury) & Brendan Van Alsenoy (Jury)


  • privacy
  • data protection
  • DPIA
  • PIA
  • privacy impact assessment
  • data protection impact assessment
  • GDPR
  • impact assessment
  • environmental impact assessment

Cite this