How can a non-EU company assess whether processing is “unlikely to result in a risk to the rights and freedoms of individuals”?

The GDPR does not define the notion of “risk to the rights and freedoms of individuals” but the recitals include examples of the types of risks which should be considered:

  • physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage
  • where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data
  • where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures
  • where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles
  • where personal data of vulnerable natural persons, in particular of children, are processed
  • where processing involves a large amount of personal data and affects a large number of data subjects.