Data Protection Impact Assessment Guidance
Data Protection Impact Assessments (DPIA) are designed to help data controllers systematically analyze, identify, and minimize the protection risks associated with new technologies or projects. They are an essential part of data controller's accountability obligations under European Union's General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).
The purpose of this document is to provide data controllers information about Axon Cloud Services to help to determine if a DPIA is needed and if so, what details to include when considering Axon Cloud Services. However, utilization of Axon Cloud Services does not inherently require a DPIA. Data controllers should work with their own legal teams to understand and comply with applicable laws and regulations related to their use of Axon Cloud Services. Axon is not providing any legal advice in this document and it should be used for informational purposes only.
Please contact email@example.com or your Axon representative for additional assistance in completing a DPIA in relation to using Axon Cloud Services.
Identify the need for a DPIA
GDPR Article 35 and LED Article 27 require that a DPIA shall be created 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.'
Where applicable, data controllers should determine any additional requirements implemented in applicable law or regulation for the protection of the rights and freedoms of the data subject with regards to the processing of personal data by competent authorities.
GDPR Article 35 (3) specifies that the following processing operations shall in particular require a DPIA:
|Processing Operation Considerations||Relevant Information about Axon Cloud Services|
|A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person|
Axon Cloud Services are not specifically designed to perform these types of automated processing of data.
|Processing on a large scale of special categories of data referred to in GDPR Article 9(1), or of personal data relating to criminal convictions and offences referred to in GDPR Article 10|
Axon Cloud Services provide capabilities to process on a large scale special categories of data relating to criminal convictions and offenses. Data controllers should determine applicability of this consideration based on their usage of Axon Cloud Services.
|A systematic monitoring of a publically available area on a large scale|
Axon Cloud Services are not specifically designed to perform systematic monitoring of a publicly available area on a large scale. However, customers can use Axon Cloud Services to process data collected through such monitoring. Data controllers should determine applicability of this consideration based on their usage of Axon Cloud Services.
A DPIA is used to help data controllers comply with their data protection obligations and meet individual's expectation of privacy. DPIA elements are specified in GDPR Article 35(7) and LED Article 27 (2). Below you can find relevant information about Axon Cloud Services to help with the completion of a DPIA:
|GDPR DPIA Element||LED DPIA Element||Relevant Information About Axon Cloud Services|
|A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller|
A general description of the envisaged processing operations
The data controller is responsible for implementing, configuring, and using Axon Cloud Services. As such, the data controller shall determine the categories of data processed and the purpose of processing Axon Cloud Services.
|An assessment of the necessity and proportionality of the processing operations in relation to the purposes|
The data controller shall determine the necessity and proportionality of the processing operations in relation to the purposes when processing their content through Axon Cloud Services.
|An assessment of the risks to the rights and freedoms of data subjects referred to in GDPR Article 35 (1)|
An assessment of the risks to the rights and freedoms of data subjects
The key risks to the rights and freedoms of data subjects from the use of Axon Cloud Services will be a function of how and in what context the data controller implements, configures, and uses Axon Cloud Services. The risks shall be determined by the data controller.
|The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned|
The measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Directive, taking into account the rights and legitimate interests of the data subjects and other persons concerned
Axon Cloud Services has implemented many security mechanisms to protect the confidentiality, integrity, availability, and privacy of Customer Data*. These include data encryption, security monitoring, service resiliency, access control, evidence integrity, and many more.
|Supplemental Information about Axon Cloud Services|
Evidence retention periods are defined by the data controller within their internal retention policies and procedures. The data controller has the ability to establish Evidence retention policies within Axon Cloud Services.
|Data Location and Transfers|
Axon Cloud Services are offered in numerous geographic regions. The data controller determines which regional deployment of Axon Cloud Services it wishes to utilize prior to tenant creation in Evidence.com. The data controller's selection determines where its Content will be stored.
Axon may transfer data with its subsidiaries and Sub-processors including service providers and other partners to support the overall delivery of Axon products and service.
Axon Cloud Services provides an Evidence audit trail that logs the when, who, and what for interactions with Evidence. The audit trail logs cannot be edited or changed, even by tenant administrators.
|Data Subject Rights|
Within the scope and Axon's authorization to do so, Axon will work with data controller in fulfilling data subject requests when they exercise their rights under GDPR and LED. If Axon receives a request from the customer's data subjects to exercise one or more of its rights under GDPR or LED, the request will be redirected to the data controller.