Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
GDPR Recital EN
Recital 89
Related across sources
Guidance Guidelines 07/2020 on the concepts of controller and processor in the GDPR Guidance Guidelines 04/2022 on the calculation of administrative fines under the GDPR Guidance Guidelines 9/2022 on personal data breach notification under GDPR Guidance Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020 Enforcement Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A.: Insufficient fulfilment of data breach notification obligations Guidance Guidelines 10/2020 on restrictions under Article 23 GDPR