New Guidance Clarifies GDPR’s Data Protection Impact Assessment (DPIA) Requirements

The Data Protection Impact Assessment (DPIA) is a significant new burden on data controllers under GDPR.  As many have noted, GDPR does not clearly outline when a DPIA is required, instead referring to processing “likely to result in a high risk to the rights and freedoms of natural persons.”

Article 35(4) charges supervisory authorities with developing a list of processing operations that will require a DPIA.  Recently, Poland became the first country to publish its draft list.  While the document is written in Polish, two Polish attorneys published an unofficial English translation here.

When reading this list, there are two items to keep in mind:

1 | The list is in draft and applies only to companies with Polish operations. The final version may differ based on public comment.  Further, other EU jurisdictions will develop their own lists;

2 | Performing the types of processing included on the list is not prohibited; you can process data in these contexts as long as your DPIA indicates residual risk to the rights and freedoms of data subjects (after application of mitigating measures) is at a reasonable level.

The list of processing operations requiring a DPIA is as follows:

#Type of processingNotable examplesComment
1

Evaluation or assessment for purposes that may have negative legal, physical, financial, or other effects on natural persons

Profiling for (unsolicited) direct marketing purposes, profiling unemployed persons without consent, evaluating credit, assessment of lifestyle or other habits by insurance companies for the purpose of setting prices, or indirect profiling (price differentiation for specific groups)Very similar to the current definition of automated decision making, but with added clarity
2Automated decision making that produces legal, financial or similar material resultsTraffic monitoring systems, customer profiling systems (in particular those setting sale prices based on a profile)Very similar to the current definition of automated decision making, but with added clarity
3Systematic large-scale monitoring of publicly accessible places using elements of recognition of features or properties of objects in the monitored spaceTime-tracking systems used by employees, tracking of employee activity while on company networks, monitoring purchases and purchasing tendencies such as alcohol or sweets, systems using RFID where tags are assigned to individualsWhile large-scale monitoring is identified in GDPR as an operation requiring a DPIA, the scope is more extensive than many had first anticipated
4Processing of special categories of personal data concerning convictions and law infringementsBiometric data processing, high-frequency data processing, and portals or systems processing information involving purely personal or household activitiesWhile large-scale monitoring is identified in GDPR as an operation requiring a DPIA, the scope is more extensive than many had first anticipated
5Large-scale data processingCentral data repositories, collecting data on user activityClarifies GDPR concept of large-scale data processing
6Performing comparisons, assessments, or drawing conclusions based on analysis of data collected from various sourcesCertain marketing campaigns that combine data from various sourcesNew category not explicitly covered in GDPR guidance
7Processing data concerning persons whose assessment depends on entities or persons which have authoritative and/or assessment-related powersCandidate matching systems and whistleblowing systemsNew category not explicitly covered in GDPR guidance
8Innovative use of technological or organizational solutionsVarious uses of Internet of Things data, devices transmitting data through telecommunications networks, remote metering systemsProvides clarity with respect to the “new technologies” portion of the DPIA requirement
9Cross-border data transmission outside the EUCentral HR processing for international companies, use of third-country cloud providersCovered in a different section of GDPR, but tied in to DPIAs under this guidance
10Data processing that prevents data subjects from exercising their rights or using a serviceCustomer credit checks, other pre-contract checks processing data from third-party databasesProvides clarity on “decisions that produce legal effects concerning a natural person”

Leave a Reply