(91) 此尤其適用於預定處理地區、國家或超國家層級可觀數量之個 人資料，且可能影響大量資料主體並導致高風險之大規模處理活動， 例如，基於其敏感性，按照現存技術知識狀況，大規模使用新技術並 用於對資料主體之權利與自由造成高風險之其他處理活動，尤其是該 等活動使得資料主體更難以行使其權利者。透過建檔資料，就相關當 事人之個人特徵為體系性及密集性之評估、或透過特殊類型之個人資 料、生物資料、或前科及犯罪資料或相關保安措施等之資料處理，以 取得特定當事人之決策所為之個人資料處理者，亦應進行資料保護影 響評估。資料保護影響評估也在大規模監控公共場合時有其必要，特 別是使用光學電子裝置或主管監管機關認為該處理有可能對資料主 體之權利與自由造成高風險之任何其他活動，尤其是因該等裝置或活 動使資料主體無法行使權利、或使用服務或契約，或是因其係被有系 統性地大規模執行者。若由個別醫生、其他健康照護專業者或律師處 理來自於病患或客戶之個人資料時，不應被視為大規模之處理。在此 種情形，資料保護影響評估並非強制。
(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.
A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures.
A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.
The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.
In such cases, a data protection impact assessment should not be mandatory.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.