Earlier this year, the Irish Data Protection Commission (DPC) published a draft list of processing operations for which it considers it is mandatory to conduct a Data Protection Impact Assessment (DPIA). Following a public consultation, the DPC submitted its draft list to the European Data Protection Board (EDPB) for approval. The EDPB has now published an opinion on the DPC’s draft list. The DPC has two weeks to communicate to the EDPB whether it intends to amend its draft list or maintain it in its current form, and provide an explanation for its decision.
The GDPR does not impose a single list of processing operations requiring a DPIA. Article 35.1 GDPR requires a DPIA to be carried out where processing “is likely to result in a high risk to the rights and freedoms of natural persons“. Article 35.3 GDPR provides examples of when a processing operation is “likely to result in a high risk” and thus require a DPIA. Such examples include where an organisation: (a) uses systematic and extensive profiling activities with significant effects; (b) processes special category or criminal offence data on a large scale; or (c) systematically monitors publicly accessible places on a large scale.
In order to provide a more concrete set of processing operations that require a DPIA due to their inherent high risk, Article 35.4 requires Supervisory Authorities (SAs) in EU Member States to establish and communicate to the EDPB a list of processing operations which require a DPIA. The Article 29 Working Party (WP29) has issued Guidelines, endorsed by the EDPB, which set out a list of criteria for SAs to consider when identifying processing operations requiring a DPIA. The WP29 Guidelines state that, in most cases, a data controller can consider that a processing operation meeting two criteria would require a DPIA, however, in some cases, processing meeting only one of the criteria will suffice.
Article 64.1 GDPR requires the EDPB to issue an opinion where a SA intends to adopt a list of processing operations requiring a DPIA. The aim of the EDPB’s opinion is not to reach a single EU list, but to avoid significant inconsistencies between EU Member States that may affect the equivalent protection of data subjects. The EDPB’s opinion only concerns cross-border processing and processing affecting the free flow of personal data and data subjects, and not local processing operations.
DPC’s Draft List & EDPB’s Recommendations
The final list submitted to the EDPB for its approval after the DPC’s public consultation has not been published, and the list may have changed. In the original draft list, the DPC proposed that a DPIA is required where an organisation is planning to:
- Use personal data on a large-scale for a purpose(s) other than that for which it was initially collected – The EDPB recommends deleting this requirement.
- Profile vulnerable persons including children to target marketing or online services at such persons – The EDPB recommends the DPC explicitly refers to the two criteria in the WP29 Guidelines which require a DPIA in respect of such processing.
- Use profiling or special category data to determine access to services.
- Monitor, track, or observe individuals’ location or behaviour – The EDPB recommends a DPIA is only required where processing of location data is done in conjunction with other criteria
- Profile individuals on a large-scale.
- Process biometric data to identify an individual – The EDPB recommends a DPIA is only required where processing of biometric data for the purpose of uniquely identifying an individual is done in conjunction with other criteria.
- Process genetic data – The EDPB recommends a DPIA is only required where processing of genetic data is done in conjunction with other criteria.
- Indirectly source personal data where GDPR transparency requirements are not being met.
- Combine, link or cross-reference separate datasets where such linking contributes to profiling or behavioural analysis of individuals.
- Process personal data based on legislative measure under the Data Protection Act 2018 where suitable and specific measures are required to safeguard the fundamental rights and freedoms of individuals.
- Further process personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes – The EDPB recommends a DPIA is only required where processing of personal data for scientific or historical research purposes is done in conjunction with other criteria.
The EDPB has indicated that where it is has not commented on the DPC’s list entries, it is not asking the DPC to make any amendment in regard to those entries. The EDPB also requests the DPC to include an explicit statement that its list is not exhaustive, and to explain that the list is based on the WP29 Guidelines on DPIAs and complements those Guidelines. The DPC has further been requested to explain which criteria set out in the WP29 Guidelines have been taken in creating the list.
The EDPB has not requested the DPC to make major amendments to its draft list, and the changes requested effectively narrow rather than broaden the scope of the processing operations requiring a DPIA. However, the DPC has stated that it is good practice to carry out a DPIA for any new project involving the use of personal data, even if there is no specific indication of likely high risk.
Once the list is finalised by the DPC, it is vital that a DPIA is carried out when required, and contains all the detail required by the GDPR in order to avoid fines and mitigate the risk of compensation claims from data subjects. Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required, can result in an administrative fine of up to €10m, or in the case of an undertaking, up to 2 % of the group worldwide annual turnover of the preceding financial year, whichever is higher.