28 Oct The EDPB establishes common criteria for Data Protection Impact Assessment lists drafted by national supervisory authorities

In brief

On September 26^th, 2018, the European Data Protection Board (“EDPB”) adopted Opinions on the draft lists, submitted by the respective national supervisory authorities, on the processing operations subject to the requirement of a data protection impact assessment (“DPIA”). The Opinions which result from the obligation for supervisory authorities to establish a list of the kind of processing operations that should be subject to a DPIA (Article 35(4) GDPR) and the consistency mechanism provided for by Articles 35(6) and 64(1)(a) GDPR, are in line with previous Article 29 Working Party (“WP29”) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 issued on the 4^th of April 2017 and modified on the 4^th of October (hereinafter referred to as “WP248“). The EDPB Opinions and the previous Guidelines identify and harmonise a number of processing operations for which a DPIA is definitely required, in order to ensure a consistent application of the data protection rules throughout the Union.

Background

Article 35(1) of the General Data Protection Regulation 679/2016 (“GDPR”) requires controllers to carry out an assessment of the impact of an envisaged processing that is “likely to result in a high risk to the rights and freedoms of natural persons”. Processing types that fall under that requirement are illustrated in Article 35(3) and WP248 Guidelines have further clarified criteria that may help identify when such an assessment is necessary.

In addition, national supervisory authorities (“SAs”) shall, according to Article 35(4) GDPR, establish their own list of processing operations which should be subject to a DPIA. This allows for a margin of discretion by the SAs, with regard to the national or regional legislative context. However, this flexibility towards SAs may lead to inconsistencies within the Union and even negatively affect the free flow of personal data.

For this purpose, the adoption of such lists is subject to the consistency mechanism laid down in Article 63, requiring SAs under Article 64(1)(a) GDPR to submit the relevant draft decisions to the EDPB, which will then ensure that these lists are consistent throughout the whole Union. In this regard, however, Article 35(6) limits the application of the consistency mechanism only to processing activities which:

1. are related to the offering of goods or services to the data subjects or,
2. are related to the monitoring of data subjects’ behaviour in several Member States, or
3. may substantially affect the free movement of personal data within the Union.

Main issues

First of all, the EDPB states that those types of processing activities which are deemed outside the scope of Article 35(6) (i.e., processing operations that are necessarily local, or those exclusively relating to national legislation or law enforcement) are not dealt with in its Opinions.

Moreover, the EDPB states that, pursuant to Article 35(10), if a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of the legal basis (when the processing takes place under Article 6(1) (c) or (e) GDPR), the obligation to carry out a DPIA does not apply, unless the Member State deems it necessary.

The analysis of 22 national lists submitted with an overall of 260 different types of processing activities, resulted general findings and requests of the SAs to amend their lists in order to:

• include some types of processing in their lists;
• remove some other criteria which the Board does not consider as necessarily creating high risks for data subjects;
• use some criteria in a harmonised manner.

The following represent a summary of recurrent conclusions to which the EDPB came in its Opinions:

• the list provided at Article 35(3) as well as those adopted by SAs under Article 35(4) shall be deemed and labelled as non-exhaustive;
• a statement should be added that clarifies that the lists are based on the WP248 guidelines and constitute a further specification to that;
• that the processing of biometric data on its own is not necessarily likely to represent a high risk, however the processing of biometric data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion a DPIA is required to be carried out;
• the processing of genetic data, the use of new and innovative technology or the processing of location data on their own are not necessarily likely to represent a high risk, however, in conjunction with at least one other criterion a DPIA is required to be carried out;
• due to its specific nature, the employee monitoring processing, meeting the criterion of vulnerable data subjects and of systematic monitoring in the guidelines, could require a DPIA;
• further processing of personal data or the use of a specific legal basis should not be criterions leading to an obligation to carry out a DPIA, alone or with another criterion;
• the processing made in the context of the collection of personal data via interfaces of personal electronic devices, which are not protected against unauthorised readout, should not be a criterion leading to an obligation to do a DPIA, alone or with another criterion;
• regarding data collected via third parties, types of processing activities that could deprive the data subjects from their rights in conjunction with at least one other criterion represent a high risk.

The supervisory authorities shall communicate to the Chair within two weeks after receiving the Opinion, whether they will amend or maintain their draft list. Within the same period, they shall provide the amended draft list or where they do not intend to follow the Opinion of the Board, they shall provide the relevant grounds for which they do not intend to follow the Opinion, in whole or in part.

Practical implications

Data processing operations for which the carrying out of a DPIA is required are being identified, and the fine-tuning of their national lists is ongoing. Companies must wait for the final lists that each Supervisory Authority will issue, since such lists will have a central role to help data controllers establish whether a DPIA is compulsory or not, in order to subsequently initiate data processing operations.

ICT Legal Consulting will keep its readers updated.