{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T07:39:11Z","timestamp":1767771551583,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":42,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032075734","type":"print"},{"value":"9783032075741","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:00:00Z","timestamp":1760140800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"},{"start":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:00:00Z","timestamp":1760140800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-07574-1_8","type":"book-chapter","created":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T09:10:55Z","timestamp":1760087455000},"page":"178-201","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Illuminating the\u00a0DPIA Blackbox \u2013 A Survey of\u00a0Data Protection Impact Assessment Practices in\u00a0Organisations"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4622-3819","authenticated-orcid":false,"given":"Malte","family":"Hansen","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6698-2073","authenticated-orcid":false,"given":"Greta","family":"Runge","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7360-8314","authenticated-orcid":false,"given":"Nils","family":"Gruschka","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0003-2397-9813","authenticated-orcid":false,"given":"Meiko","family":"Jensen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,10,11]]},"reference":[{"key":"8_CR1","unstructured":"European Parliament and Council: Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) (2016). https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&from=EN. Visited 25 Jan 2024"},{"key":"8_CR2","unstructured":"Drogkaris, P., Prieto, J.G. (eds.): European Union Agency for Cybersecurity: Engineering Personal Data Protection in EU Data Spaces (2024)"},{"key":"8_CR3","doi-asserted-by":"publisher","unstructured":"Curry, E., et al.: Data sharing spaces: the BDVA perspective. In: Otto, B., ten Hompel, M., Wrobel, S. (eds.) Designing Data Spaces: The Ecosystem Approach to Competitive Advantage, pp.\u00a0365\u2013382. Springer, Cham (2022). https:\/\/doi.org\/10.1007\/978-3-030-93975-5_22","DOI":"10.1007\/978-3-030-93975-5_22"},{"key":"8_CR4","unstructured":"Agencia Espa\u00f1ola de Protecci\u00f3n de Datos: APPROACH TO DATA SPACES FROM GDPR PERSPECTIVE (2022). https:\/\/www.aepd.es\/documento\/approach-to-data-spaces-from-gdpr-perspective.pdf. Visited 27 June 2024"},{"key":"8_CR5","doi-asserted-by":"publisher","unstructured":"N\u00e4gele, P., Petrlic, R., Schemmel, F.: Die Datenschutz-Folgenabsch\u00e4tzung in der Praxis. Datenschutz und Datensicherheit - DuD 44(11), 719\u2013728 (2020). ISSN: 1614-0702, 1862-2607. https:\/\/doi.org\/10.1007\/s11623-020-1356-3. http:\/\/link.springer.com\/10.1007\/s11623-020-1356-3. Visited 29 Apr 2024","DOI":"10.1007\/s11623-020-1356-3"},{"key":"8_CR6","doi-asserted-by":"crossref","unstructured":"Datenschutzkonferenz. Datenschutz-Folgenabsch\u00e4tzung nach Art. 35 DS-GVO (2018)","DOI":"10.37307\/j.2196-9817.2018.03.03"},{"key":"8_CR7","unstructured":"Commission Nationale Informatique & Libert\u00e9s: PIA, methodology (2018)"},{"key":"8_CR8","doi-asserted-by":"crossref","unstructured":"Friedewald, M.: Datenschutz-Folgenabsch\u00e4tzung: Chancen, Grenzen, Umsetzung. In: TATuP-Zeitschrift f\u00fcr Technikfolgenabsch\u00e4tzung in Theorie und Praxis\/J. Technol. Assess. Theory Pract. 26(1-2), 66\u201371 (2017). https:\/\/www.ssoar.info\/ssoar\/handle\/document\/68742. Visited 24 Jan 2024","DOI":"10.14512\/tatup.26.1-2.66"},{"key":"8_CR9","unstructured":"Article 29 Working Party: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is \u201clikely to result in a high risk\u201d for the purposes of Regulation 2016\/679 (2017)"},{"key":"8_CR10","unstructured":"Martin, N., et al.: The data protection impact assessment according to article 35 GDPR. In: Fraunhofer Institute for Systems and Innovation Research ISI (2020)"},{"key":"8_CR11","unstructured":"Information Commissioner\u2019s Office: Sample DPIA template. v0.3, February 2019. https:\/\/ico.org.uk\/media\/2258461\/dpia-template-v04-post-comms-review-20180308.pdf. Visited 14 Mar 2024"},{"key":"8_CR12","unstructured":"Agencia Espa\u00f1ola de Protecci\u00f3n de Datos: Template for data protection impact assessment report (DPIA) for private sector (2022)"},{"key":"8_CR13","unstructured":"Commission Nationale Informatique & Libert\u00e9s: PIA, templates (2018)"},{"key":"8_CR14","unstructured":"Commission Nationale Informatique & Libert\u00e9s: PIA, knowledge bases (2018)"},{"key":"8_CR15","unstructured":"International Organization for Standardization: Information technology \u2014 Security techniques \u2014 Guidelines for privacy impact assessment. Standard. International Organization for Standardization, Geneva, CH (2023)"},{"key":"8_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-319-44760-5_2","volume-title":"Privacy Technologies and Policy","author":"F Bieker","year":"2016","unstructured":"Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21\u201337. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-44760-5_2"},{"key":"8_CR17","doi-asserted-by":"crossref","unstructured":"Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: IEEE Security and Privacy Workshops, pp. 159\u2013166. IEEE (2015)","DOI":"10.1109\/SPW.2015.13"},{"key":"8_CR18","unstructured":"Gonscherowski, S., et al.: Durchf\u00fchrung einer Datenschutz-Folgenabsch\u00e4tzung gem. Art. 35 DSGVO auf der methodischen Grundlage eines stan- dardisierten Prozessablaufes mit R\u00fcckgriff auf das SDM am Beispiel eines \u201cPay as you drive\u201d-Verfahrens (V 0.10) (2017)"},{"key":"8_CR19","unstructured":"Haag, I., et al.: Datenschutz-Folgenabsch\u00e4tzung gem\u00e4\u00dfszlig; Art. 35 DS-GVO (2019). https:\/\/opusihandbuch.kronsoft.de\/documents\/DSFA-B3S-Gesundheitsversorgung-Art.35-DSGVO.pdf. Visited 24 Jan 2024"},{"key":"8_CR20","doi-asserted-by":"publisher","unstructured":"Kloza, D., et al.: Data protection impact assessment in the European Union: developing a template for a report from the assessment process. LawArXiv, October 2020. https:\/\/doi.org\/10.31228\/osf.io\/7qrfp. https:\/\/osf.io\/7qrfp. Visited 13 Dec 2023","DOI":"10.31228\/osf.io\/7qrfp"},{"key":"8_CR21","doi-asserted-by":"crossref","unstructured":"Demetzou, K.: Data protection impact assessment: a tool for accountability and the unclarified concept of \u2018high risk\u2019 in the general data protection regulation. Comput. Law Secur. Rev. 35(6), 105342 (2019)","DOI":"10.1016\/j.clsr.2019.105342"},{"key":"8_CR22","doi-asserted-by":"publisher","unstructured":"Friedewald, M., et al.: Data protection impact assessments in practice: experiences from case studies. In: Katsikas, S., et al. (eds.) Computer Security. ESORICS 2021 International Workshops. LNCS, vol.\u00a013106, pp.\u00a0424\u2013443. Springer, Cham (2022). ISBN: 978-3-030-95483-3 978-3-030-95484-0. https:\/\/doi.org\/10.1007\/978-3-030-95484-0_25. https:\/\/link.springer.com\/10.1007\/978-3-030-95484-0_25. Visited 29 May 2024","DOI":"10.1007\/978-3-030-95484-0_25"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Wairimu, S., et al.: On the evaluation of privacy impact assessment and privacy risk assessment methodologies: a systematic literature review. IEEE Access (2024). https:\/\/ieeexplore.ieee.org\/abstract\/document\/10418587\/. Visited 28 May 2024","DOI":"10.1109\/ACCESS.2024.3360864"},{"key":"8_CR24","doi-asserted-by":"crossref","unstructured":"Georgiadis, G., Poels, G.: Towards a privacy impact assessment methodology to support the requirements of the general data protection regulation in a big data analytics context: a systematic literature review. Comput. Law Secur. Rev. 44, 105640 (2022). https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0267364921001138. Visited 29 May 2024","DOI":"10.1016\/j.clsr.2021.105640"},{"key":"8_CR25","doi-asserted-by":"crossref","unstructured":"Vemou, K., Karyda, M.: Evaluating privacy impact assessment methods: guidelines and best practice. Inf. Comput. Secur. 28(1), 35\u201353 (2019). https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2019-0047\/full\/. Visited 29 May 2024","DOI":"10.1108\/ICS-04-2019-0047"},{"key":"8_CR26","doi-asserted-by":"crossref","unstructured":"Todde, M., et al.: Methodology and workflow to perform the data protection impact assessment in healthcare information systems. Inf. Med. Unlocked 19, 100361 (2020). https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2352914820301477. Visited 29 May 2024","DOI":"10.1016\/j.imu.2020.100361"},{"key":"8_CR27","unstructured":"Stevanovic, U., et al.: Data Protection Impact Assessment - An Initial Guide for Communities (2018)"},{"key":"8_CR28","doi-asserted-by":"publisher","unstructured":"L\u00f3pez, C.T., Domingo, I.A., Torrijos, J.V.: Approaching the data protection impact assessment as a legal methodology to evaluate the degree of privacy by design achieved in technological proposals. A special reference to Identity Management systems. In: Proceedings of the 16th International Conference on Availability, Reliability and Security, pp.\u00a01\u20139. ACM, Vienna, Austria, August 2021. isbn: 978-1-4503-9051-4. https:\/\/doi.org\/10.1145\/3465481.3469207. https:\/\/dl.acm.org\/doi\/10.1145\/3465481.3469207. Visited 29 May 2024","DOI":"10.1145\/3465481.3469207"},{"key":"8_CR29","doi-asserted-by":"crossref","unstructured":"Wuyts, K., et al.: Effective and efficient privacy threat modeling through domain refinements. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp.\u00a01175\u20131178 (2018). https:\/\/dl.acm.org\/doi\/abs\/10.1145\/3167132.3167414. Visited 29 May 2024","DOI":"10.1145\/3167132.3167414"},{"key":"8_CR30","unstructured":"Calvi, A.: Gender, data protection & the smart city: exploring the role of DPIA in achieving equality goals. Eur. J. Spat. Dev. 19(3) (2022)"},{"key":"8_CR31","doi-asserted-by":"publisher","unstructured":"De, S.J., M\u00e9tayer, D.L.: A refinement approach for the reuse of privacy risk analysis results. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) Privacy Technologies and Policy. LNCS, vol.\u00a010518, pp.\u00a052\u201383. Springer, Cham (2017). isbn: 978-3-319-67279-3 978-3-319-67280-9. https:\/\/doi.org\/10.1007\/978-3-319-67280-9_4. http:\/\/link.springer.com\/10.1007\/978-3-319-67280-9_4. Visited 29 May 2024","DOI":"10.1007\/978-3-319-67280-9_4"},{"key":"8_CR32","doi-asserted-by":"crossref","unstructured":"Pandit, H.J.: A semantic specification for data protection impact assessments (DPIA). In: Towards a Knowledge-Aware AI, pp.\u00a036\u201350. IOS Press (2022)","DOI":"10.3233\/SSW220007"},{"key":"8_CR33","unstructured":"Information Commissioner\u2019s Office: How do we do a DPIA? ICO, 17 November 2024. https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/accountability-and-governance\/data-protection-impact-assessments-dpias\/how-do-we-do-a-dpia\/. Visited 28 May 2025"},{"key":"8_CR34","doi-asserted-by":"crossref","unstructured":"Dubey, R., et al.: Big data and predictive analytics and manufacturing performance: integrating institutional theory, resource-based view and big data culture. Br. J. Manag. 30(2), 341\u2013361 (2019)","DOI":"10.1111\/1467-8551.12355"},{"key":"8_CR35","doi-asserted-by":"crossref","unstructured":"Salleh, K.A., Janczewski, L.: Technological, organizational and environmental security and privacy issues of big data: a literature review. Procedia Comput. Sci. 100, 19\u201328 (2016)","DOI":"10.1016\/j.procs.2016.09.119"},{"key":"8_CR36","doi-asserted-by":"crossref","unstructured":"Phillips-Wren, G., et al.: Business analytics in the context of big data: a roadmap for research. Commun. Assoc. Inf. Syst. 37(1), 23 (2015)","DOI":"10.17705\/1CAIS.03723"},{"key":"8_CR37","doi-asserted-by":"crossref","unstructured":"Kelemen, B.K., Hohmann, B.: Is there anything new under the sun? A glance at the digital services act and the digital markets act from the perspective of digitalisation in the EU. Croatian Yearbook Eur. Law Policy 19, 225\u2013248 (2023)","DOI":"10.3935\/cyelp.19.2023.542"},{"key":"8_CR38","unstructured":"Regulation (EU) 2022\/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000\/31\/EC (Digital Services Act) (Text with EEA relevance). Legislative Body: EP, CONSIL, October 2022. http:\/\/data.europa.eu\/eli\/reg\/2022\/2065\/oj\/eng. Visited 17 Feb 2025"},{"key":"8_CR39","unstructured":"Regulation (EU) 2024\/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300\/2008, (EU) No 167\/2013, (EU) No 168\/2013, (EU) 2018\/858, (EU) 2018\/1139 and (EU) 2019\/2144 and Directives 2014\/90\/EU, (EU) 2016\/797 and (EU) 2020\/1828 (Artificial Intelligence Act) (Text with EEA relevance). Legislative Body: CONSIL, EP, June 2024. http:\/\/data.europa.eu\/eli\/reg\/2024\/1689\/oj\/eng. Visited 17 Feb 2025"},{"key":"8_CR40","unstructured":"Kokoulina, O.: Challenges in digital compliance: risk assessment and fundamental rights under the GDPR and the EU AI Act (2024)"},{"key":"8_CR41","doi-asserted-by":"crossref","unstructured":"Thomaidou, A., Limniotis, K.: Navigating through human rights in AI: exploring the interplay between GDPR and fundamental rights impact assessment. J. Cybersecur. Priv. 5(1), 7 (2025)","DOI":"10.3390\/jcp5010007"},{"key":"8_CR42","doi-asserted-by":"crossref","unstructured":"Pandit, H.J., Rintam\u00e4ki, T.: Towards an automated AI Act FRIA tool that can reuse GDPR\u2019s DPIA (2024)","DOI":"10.31219\/osf.io\/538wy_v1"}],"container-title":["Lecture Notes in Computer Science","Privacy Technologies and Policy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-07574-1_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T09:11:20Z","timestamp":1760087480000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-07574-1_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,11]]},"ISBN":["9783032075734","9783032075741"],"references-count":42,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-07574-1_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,11]]},"assertion":[{"value":"11 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"APF","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual Privacy Forum","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Frankfurt am Main","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 October 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 October 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"13","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"apf2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/privacyforum.eu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}