On 28 February, the Privacy Commission, which will be re-formed as the Data Protection Authority on 25 May 2018, interpreted the new obligation imposed by Article 35 of the GDPR to fulfil a “data protection impact assessment” (“DPIA”). The aim of this recommendation consists in determining the cases in which a DPIA is required.
What is a DPIA?
The DPIA is a process whose goal is to systematically describe the processing of personal data, to assess the necessity and proportionality of it and to help manage the risks to the rights and freedoms of the natural persons concerned, while determining the necessary measures to manage these risks. This process allows the controller to show that he is compliant with the principles and obligations imposed by the GDPR, particularly with regard to the obligation to take the appropriate measures to manage the risks relating to the processing of personal data.
In which cases is a DPIA required?
The DPIA is not required for every processing of personal data, but only when the processing is likely to cause a high risk to the persons concerned. Furthermore, the Privacy Commission has clarified that a DPIA is only compulsory for the new processes, but that it is also recommended for ongoing processes with a distinctively high risk. In its recommendation, the Privacy Commission lists three categories in which this particular risk assessment must be carried out:
1. When the processing is likely to result in a “high risk” to the rights and freedoms of a natural person
The GDPR does not define the notion of “high risk”. According to the Privacy Commission, it concerns the processing of personal data that entails or could entail negative effects to the fundamental rights and freedoms of natural persons. Therefore, it is not required that these rights and freedoms are actually affected; the mere probability suffices.
Moreover, the Article 29 Working Party, the common European body of the supervisory authorities, has established nine criteria to be taken into account by controllers to assess whether the processing concerned has a distinctively “high risk” or not. These nine criteria are as follows:
Evaluation or scoring (including profiling and predicting) | Processing of sensitive or very personal data | Data concerning vulnerable data subjects (e.g., children, elderly persons, but also workers ...) |
Automated decision making with legal or similar significant effect | Processing of personal data on a large scale (on the basis of the number of persons, the volume of the data, the duration or permanence of the activity or the geographic extent of the activity) | Innovative use or applying technological or organisational solutions |
Systematic monitoring |
Datasets that have been matched or combined |
When the processing prevents data subjects from exercising a right or using a service or a contract |
The Privacy Commission indicates that, in line with the Article 29 Working Party, as soon as a processing corresponds to at least two of the nine criteria, a DPIA shall be required. The Article 29 Working Party, in turn, considers that the more criteria are met by the processing, the more likely it is to present a “high risk” requiring a DPIA, and this regardless of the measures the controller intends to take to limit these risks.
If the controller believes that despite the fact that the processing meets at least two criteria, it is considered not to be “likely high risk”, he has to thoroughly document the reasons for not carrying out a DPIA.
At first glance, this recommendation (Dutch - French) implies that the HR department of a sizeable company with a large number of workers will be required to carry out DPIAs for numerous processes regarding a large number of workers.
2. The types of processing referred to in Article 35(3) of the GDPR
In three situations, a DPIA is always required:
- in the case of a systematic and extensive evaluation of personal aspects which is (completely or partially) based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- in the case of processing on a large scale of special categories of data referred to in Article 9§1 of the GDPR (racial or ethnic origin, political opinions, etc), or of personal data relating to criminal convictions and offences;
- in the case of a systematic monitoring of a publicly accessible area on a large scale.
The Privacy Commission mainly targets hospital information systems, genetic research and video surveillance.
3. The lists established by the supervisory authority
Each supervisory authority must draw up and make public a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment. The supervisory authority may also draw up and make public a list of the kinds of processing operations for which no data protection impact assessment is required.
However, the existence of these lists, which are not exhaustive, has no influence whatsoever on the obligation of the controller to manage the risks.
The Privacy Commission has now published its draft lists.
In which cases is a DPIA not required?
In its draft list concerning the types of processing for which no DPIA is required, without prejudice to the controllers’ general obligation to carry out a proper assessment of the risks and good management of the risks (cf. supra), the Privacy Commission has also clarified that a DPIA is not required when the processing:
- is needed for compliance with a legal obligation to which the controller is subject;
- is needed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- only concerns the data necessary for the administration of the salaries of persons employed by or active on behalf of the controller;
- only concerns the administration of the staff employed by or active on behalf of the controller;
- only concerns the controllers’ accounting, insofar as the data is only used for accounting purposes;
- only concerns shareholders’ and partners’ administration, insofar as the processing is limited to the data necessary for this administration;
- is carried out by a foundation, an association or any other non-profit organisation within the framework of its usual activities;
- only concerns the registration of visitors in the context of access control;
- is carried out by educational institutions for the management of the relationships with their students in the framework of their educational objectives;
- only concerns the controllers’ customer or supplier management.
However, for each of these “exceptions”, certain specific conditions must be met.
- Action point
Every controller must carry out a DPIA prior to data processing when such an analysis is required, and this preferably as soon as possible during the stage of development. Furthermore, a DPIA will also be required on a regular basis for processes with a distinctively high risk.