Personal data processing operations subject to the requirement of elaborating impact assessments

Definition of Data Protection Impact Assessment (DPIA)

DPIA means DATA PROTECTION IMPACT ASSESMENT. It is a risk analysis established by the GDPR Regulation[1], mandatory for the controllers[2] prior to execution of any processing operations with regards to personal data of individuals (data subjects), likely to lead to high risks to their rights and freedoms (“DPIA”). The risks to the rights and freedoms of data subjects may be at various levels at the individual processing operations and may lead to property, non-property or other damage to that individuals. The aforementioned indicates that the obligation to elaborate DPIAs does not apply to every personal data processing operation, but only those which qualify.

When is it necessary to elaborate DPIAs

The obligation of controllers to elaborate DPIAs need to be seen in the context of the general obligation of controllers to adequately manage the risks related to the processing of personal data. According to Recital (84) of the GDPR: The outcome of the assessment (DPIA) should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR. 

The obligation of elaborating DPIA relates mainly on cases where the controller uses new technologies to process personal data, usage of which may represent high risk for the rights and freedoms of the data subjects and in case the nature, extent, context or purpose of processing of personal data implies high risk for the rights and freedoms of the data subjects. DPIA is a process which may help the controller to analyse, identify and minimise risks. It is merely a special type of risk analysis. It should include mainly the planned measures, guarantees and mechanisms to mitigate the risks to the rights and freedoms of the data subjects, ensuring personal data protection and to demonstrate compliance with the GDPR.

Article 35 (3) of the GDPR names examples of the processing operations requiring the elaboration of DPIA. As the list of processing operations in GDPR is not extensive, the WP 29[3] working party introduced 9 criteria each controller should consider when deciding whether the processing operation requires DPIA. In case the processing operation meets at least two of the criteria below, the controller should consider elaborating DPIA. WP 29 states that the more criteria the processing operation meets, the more likely of it to represent high risk to the rights and freedoms of the data subjects.

Criteria:

1. Profiling and predicting – evaluation and scoring, including profiling and predicting, especially from aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
2. Automated decision-making with legal or similar significant effect – processing that aims at taking decisions on data subjects producing legal effects concerning the natural person or which similarly significantly affects the natural person.
3. Systematic monitoring – processing used to observe, monitor or control data subjects, including data collected through networks or a systematic monitoring of a publicly accessible area.
4. Sensitive data or data of a highly personal nature – this includes special categories of personal data as defined in Article 9 (for example, information on individual’s health condition), as well as personal data relating to criminal convictions or offences.
5. Data processed on a large scale – the GDPR does not define what constitutes large-scale, though recital 91 provides some guidance. In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned (either as a specific number or as a proportion of the relevant population), the volume of data and/or the range of different data items being processed, the duration, or permanence of the data processing activity, and the geographical extent of the processing activity.
6. Matching or combining datasets – for example, originating two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
7. Data concerning vulnerable data subjects – vulnerable data subjects may include employees.
8. Innovative use or applying new technological or organisational solutions.
9. When the processing itself prevents data subjects from exercising a right or using a service or a contract.

Based on the authorizing provision of the GDPR, the Office for Personal Data Protection of the SR (“Office”) released 13 examples of processing operation which require elaborating the impact assessment:

1. Processing of biometric data of natural persons (like fingerprints) for the purposes of individual identification of natural persons in connection with at least one of the aforementioned criteria.
2. Processing of genetic data of natural persons (like data on inherited characteristic markers) in connection with at least one of the aforementioned criteria.
3. Processing of localisation data (like location data) in connection with at least one of the aforementioned criteria.
4. Processing operations under Article 14 of the GDPR – Article 14 (5) (b), (c) and (d) of the GDPR names exceptions when the controller is not obliged to provide information on processing of personal data to the data subject. In case the processing operations with regards to personal data are subject to the exception, the DPIA is required if in connection with at least one of the aforementioned criteria.
5. Evaluation or scoring.
6. Reliability assessment.
7. Payment ability assessment.
8. Profiling.
9. Monitoring of the work of the employee due to material reasons based on the special nature of activity of the employer.
10. Processing of personal data for the purposes of scientific or historic research without the consent of the data subject in connection with at least one of the aforementioned criteria.
11. Processing operations using new or innovative technologies in connection with at least one of the aforementioned criteria.
12. Systematic CCTV monitoring of public areas.
13. Surveillance of persons by private detectives or security services.

Who is obliged to elaborate DPIA

Every controller meeting the abovementioned criteria is obliged to elaborate DPIA. However, if the controller engages a processor[4] with the specific processing operation, the processor shall cooperate with the controller with regards to elaborating DPIA, taking into account the nature of processing and the information available to the processor.

Sanctions

Administrative fine of up to 10 million euros or 2 % of the total global annual turnover for the previous accounting year (whichever is higher) at companies, imposed by the Office to the controller for failing to comply with the DPIA related obligations, in particular:

• failure to elaborate DPIA in case it is mandatory at the processing;
• elaborating the DPIA incorrectly; or
• failure to consult the respective supervisory authority.

Conclusion: recommendations

If the controller is not certain whether to elaborate the DPIA, we recommend elaborating it (to be sure), as it is a useful tool of proving the Office that the controller complied with the GDPR.

Viktória Poliaková, Zuzana Krajčovičová