We continue our series trying to prepare enterprises to the challenges of the new General Data Protection Regulation of the European Union to be applied from 25th May 2018. In this issue, we analyze in which cases a controller shall carry out Data Protection Impact Assessment (DPIA).

DPIA is a new legal instrument introduced by GDPR and its purpose is to evaluate the risks of data processing. According to the Regulation, if the assessment indicates that the processing of data would result in a high risk, the controller shall consult the supervisory authority prior to starting the processing. As you can see, DPIA is a process carried out internally, but as a possible result, the controller might have to initiate prior consultation with the data protection authority (NAIH).

The first question is that in which cases DPIA is compulsory. According to the GDPR, where processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’ the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. GDPR also specifies particular cases when DPIA is mandatory, e.g. the systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, or systematic monitoring of a publicly accessible area on a large scale.

However, the above list is illustrative. Therefore, the Article 29 Data Protection Working Party issued guidelines and worked out a list of criteria that should be taken into account. As a thumb rule, the Working Party believes that a data controller should carry out a DPIA in the event that at least two cases out of the following nine are met:

  1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”.
  2. Automated-decision making with legal or similar significant effect. According to the Work Party, this criteria should apply to cases where processing may lead to the exclusion or discrimination of individuals.
  3. Systematic monitoring, which may be collection through networks or ‘a systematic monitoring of a publicly accessible area’.
  4. Sensitive data or personal data of highly confidential nature including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Furthermore, certain categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals, in particular, personal data linked to household and private activities.
  5. Data processed on a large scale. Since GDPR does not provide definition of ‘large scale’, the Work Party recommends considering the following circumstances:
    1. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
    2. the volume of data and/or the range of different data items being processed;
    3. the duration, or permanence, of the data processing activity;
    4. the geographical extent of the processing activity.

Providing a specific example, GDPR confirms that the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.

  1. Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  2. Data concerning vulnerable data subjects. This category includes personal data related to children, employees, or more vulnerable segments of the population requiring special protection.
  3. Innovative use or applying new technological or organizational solutions. A new technology, defined in accordance with the achieved state of technological knowledge, e.g. combining use of finger print and face recognition for improved physical access control.
  4. Cases, when the processing in itself “prevents data subjects from exercising a right or using a service or a contract

It is important to point out that the supervisory authority shall disclose a list of the kind of processing operations in which case DPIA shall be mandatory. No such list has been established by NAIH yet.

Work party also specified cases when DPIA is not necessary, according to following:

  • Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons;
  • When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out. In such cases, results of DPIA for similar processing can be used;
  • When the processing operations have been checked by a supervisory authority before May 2018 in specific conditions that have not changed, since the decisions issued n decisions adopted and authorizations by supervisory authorities based on the actual legislation remain in force until amended, replaced or repealed.
  • Where a DPIA has already been carried out as part of the establishment of that legal basis.

Authorities may also set a list of processing operations for which no DPIA is required. Likewise, no such list established by NAIH yet.