New Guidance Clarifies GDPR’s Data Protection Impact Assessment (DPIA) Requirements

The Data Protection Impact Assessment (DPIA) is a significant new burden on data controllers under GDPR.  As many have noted, GDPR does not clearly outline when a DPIA is required, instead referring to processing “likely to result in a high risk to the rights and freedoms of natural persons.”

Article 35(4) charges supervisory authorities with developing a list of processing operations that will require a DPIA.  Recently, Poland became the first country to publish its draft list.  While the document is written in Polish, two Polish attorneys published an unofficial English translation here.

When reading this list, there are two items to keep in mind:

1 | The list is in draft and applies only to companies with Polish operations. The final version may differ based on public comment.  Further, other EU jurisdictions will develop their own lists;

2 | Performing the types of processing included on the list is not prohibited; you can process data in these contexts as long as your DPIA indicates residual risk to the rights and freedoms of data subjects (after application of mitigating measures) is at a reasonable level.

The list of processing operations requiring a DPIA is as follows:

# Type of processing Notable examples Comment
1

Evaluation or assessment for purposes that may have negative legal, physical, financial, or other effects on natural persons

Profiling for (unsolicited) direct marketing purposes, profiling unemployed persons without consent, evaluating credit, assessment of lifestyle or other habits by insurance companies for the purpose of setting prices, or indirect profiling (price differentiation for specific groups) Very similar to the current definition of automated decision making, but with added clarity
2 Automated decision making that produces legal, financial or similar material results Traffic monitoring systems, customer profiling systems (in particular those setting sale prices based on a profile) Very similar to the current definition of automated decision making, but with added clarity
3 Systematic large-scale monitoring of publicly accessible places using elements of recognition of features or properties of objects in the monitored space Time-tracking systems used by employees, tracking of employee activity while on company networks, monitoring purchases and purchasing tendencies such as alcohol or sweets, systems using RFID where tags are assigned to individuals While large-scale monitoring is identified in GDPR as an operation requiring a DPIA, the scope is more extensive than many had first anticipated
4 Processing of special categories of personal data concerning convictions and law infringements Biometric data processing, high-frequency data processing, and portals or systems processing information involving purely personal or household activities While large-scale monitoring is identified in GDPR as an operation requiring a DPIA, the scope is more extensive than many had first anticipated
5 Large-scale data processing Central data repositories, collecting data on user activity Clarifies GDPR concept of large-scale data processing
6 Performing comparisons, assessments, or drawing conclusions based on analysis of data collected from various sources Certain marketing campaigns that combine data from various sources New category not explicitly covered in GDPR guidance
7 Processing data concerning persons whose assessment depends on entities or persons which have authoritative and/or assessment-related powers Candidate matching systems and whistleblowing systems New category not explicitly covered in GDPR guidance
8 Innovative use of technological or organizational solutions Various uses of Internet of Things data, devices transmitting data through telecommunications networks, remote metering systems Provides clarity with respect to the “new technologies” portion of the DPIA requirement
9 Cross-border data transmission outside the EU Central HR processing for international companies, use of third-country cloud providers Covered in a different section of GDPR, but tied in to DPIAs under this guidance
10 Data processing that prevents data subjects from exercising their rights or using a service Customer credit checks, other pre-contract checks processing data from third-party databases Provides clarity on “decisions that produce legal effects concerning a natural person”

Leave a Reply