To determine whether a full Data Protection Impact Assessment must be carried out before the solution is put into operation.
| Nr. | Question | Yes / No |
|---|---|---|
| 1 | Treated there special categories of personal data (health, ethnicity, religion, trade union relations, etc.)? | |
| 2 | Profile the solution citizens to make (partially) automated decisions? | |
| 3 | Transferred personal data to third countries outside the EU/EEA? | |
| 4 | Is the target group vulnerable (e.g. children, the elderly, citizens with disabilities)? | |
| 5 | Treated there large amounts of data about a significant part of the municipality's citizens? | |
| 6 | Is it about systematic monitoring of public areas (camera, IoT sensors)? | |
| 7 | Use the solution new or unproven technology, which citizens cannot reasonably expect? | |
| 8 | May have unintentional output (hallucinations). significant consequences for citizens' rights or services? | |
| 9 | Is there lack of transparency about the model's training data or decision logic? | |
| 10 | Is there a risk of data being combined with other registers and form a more comprehensive picture of the citizen? |
Huske-regel: If ≥ 3 answers are “Yes”, the Norwegian Data Protection Authority recommends a full DPIA, cf. GDPR art. 35. (eur-lex.europa.eu)
No (or minimal) personal data: the chatbot only looks up the publicly available legal text, which does not contain citizen or employee information. Thus, the processing does not trigger a high risk for the rights of natural persons. (retsinformation.dk)
No profiling or automatic decisions: the assistant only provides paragraph explanations; it makes no decisions on individual cases.
All data processing remains in the EU: Promte hosts all models and log data on EU-based servers, so there are no third-country transfers that could otherwise trigger DPIA obligations.
Users are not a vulnerable group: the target group is municipal employees, not children or other vulnerable citizens.
On our 10-point checklist, only one question (“new technology?”) will typically get a one Yes, i.e. far below the DPIA limit. A brief risk assessment and registration in the municipality's treatment register is therefore sufficient; a full DPIA is usually unnecessary.
