One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach.
Under the GDPR, non-compliance with the DPIA requirements may result in an administrative fine of up to €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, so it is essential to know when a DPIA is required.
First and foremost, it is up to the controller to assess whether there is a need to conduct a DPIA. Article 35(3) of the GDPR provides certain examples of processing operations, which would be subject to this obligation, these being:
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- Processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences
- A systematic monitoring of a publicly accessible area on a large scale
However, considering that the above list is non-exhaustive, any other processing that is likely to result in such a high risk would also be subject to DPIA.
Under Article 35(5) of the GDPR, the supervisory authority shall establish and make public a list of those kinds of processing operations, which are subject to the requirement for a DPIA. Recently, the Polish supervisory authority, namely the Inspector General for Personal Data Protection (GIODO)[1], has released – as one of the first regulators in the EU – such a list and invited stakeholders for consultation.
The document is quite detailed and lists 10 types of processing activities subject to the requirement for a DPIA:
- Evaluation and assessment, including profiling and forecasting (behavioral analysis) for purposes which may cause negative legal, physical, financial or other consequences/inconvenience for natural persons.
- Automated decision-making that produces legal, financial or similar significant effects.
- Systematic monitoring on a large scale of publicly available places, which uses elements of recognition of features or characteristics of facilities located within the monitored area. This group does not include CCTV where the picture is recorded and used only to analyze breach of law incidents.
- Processing of special categories of personal data and of personal data relating to criminal convictions and offences (sensitive data according to Article 29 Data Protection Working Party guidelines).
- Data processed on a large scale where the term “large scale” refers to the number of persons whose data is processed; scope of processing; retention period; geographical scope of processing.
- Conducting comparisons, assessments and drawing conclusions, based on the analysis of data acquired from different sources.
- Processing personal data of persons whose assessment and services rendered are conditional on subjects and persons who have supervisory and/or evaluating powers
- Innovative use or application of technological or organizational solutions.
- Transfer of personal data outside the EU.
- Where data processing in itself “makes it impossible for persons whose data is processed to exercise his/her right or use a service or an agreement.”
Furthermore, each activity above is illustrated by concrete examples of such processing operations, as well as the sectors (both private and public) where such processing may occur.
Unsurprisingly, it appears that GIODO considers the processing of personal data in some business sectors is more likely to result in a high risk than in others. For example, the following will all require a DPIA:
- Profiling users for purposes of sending unsolicited correspondence by social networks
- Preparing creditworthiness assessment by financial institutions
- Assessing lifestyle, nutrition habits, driving skills, ways of spending time, etc. for the purpose of maximizing the profits by insurance companies
- Profiling customers in order to identify their purchasing preferences, setting promotional prices based on such profile by e-commerce companies
Finally, it is worth mentioning that a lot of processing activities regarding employment have also been indicated as requiring a DPIA analysis. For instance, the proposed list includes the following activities that would trigger the need for a mandatory DPIA:
- Monitoring of working time or employees’ activity
- Processing data that exceeds the scope specified in the Labor Code, based on the employees’ consent
- Maintaining whistleblowing hotlines for employees
- Processing of employment data within international corporations seated outside the EU
The list was subject to public consultations, which were schedule to close on April 28, 2018. We will keep you informed about the outcome of those consultations, and any significant changes to the proposed list resulting therefrom.
The original document is available in Polish. For more information about DPIA, and how to determine whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 adopted by the Article 29 Data Protection Working Party, please see also the Guidelines on Data Protection Impact Assessment (DPIA).
[1] From 25 May 2018 onwards: President of the Office for Personal Data Protection (PUODO).
This article was also written by Aleksandra Drozdz.