Article 42(1) of the Data Protection Act explicitly confirms that for a set of similar processing operations that present similar high risks, a single data protection impact assessment is enough.
DPIA list of the Slovak supervisory authority
Slovak Data Protection Authority also published a list of processing operations for which the data protection impact assessment is necessary (in English).
These operations include for example:
- Processing of biometric or genetic data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248
- Processing operations of genetic data of a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248.
- Processing of location data together with another criterion mentioned in Guidelines WP 248.
- Scoring.
- Credit rating.
- Etc.
Guidelines of the supervisory authority
The Slovak Data Protection Authority published a methodology of data protection impact assessments (in Slovak).
Prior consultation
Moreover, the Slovak Data Protection Act does not regulate the opening clause of Article 36(5) of the Data Protection Act. Therefore, it does not require the prior consultation or authorization from the supervisory authority in relation to processing in the public interest, including processing in relation to social protection and public health.