NEWSLETTER-2017

320 NEWSLETTER 2017 those data to another controller without hindrance from the controller to which the personal data have been provided 6 . • Notification of Data Violations . Art. 33 of the GDPR forese- es a notification obligation for data controllers given that the security of personal data is compromised. Accordingly, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Further, the data pro- cessor shall also notify the data controller of any personal data breach without undue delay. • Privacy Impact Assessment (PIA). In accordance with Art. 35 of the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Such instances are exemplified under Art. 35(3) as follows: a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the na- tural person or similarly significantly affect the natural person; b) processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or c) a systematic monitoring of a publicly accessible area on a large scale. 6 Díaz Díaz, Efrén. The new European Union General Regulation on Data Protec- tion and the Legal Consequences for Institutions, Church, Communication and Culture, 2016 1:1, p. 224.