Article 29 Working Party’s guidelines on DPIA

The Article 29 Working Party (“A29WP”) has recently published its guidelines on Data Protection Impact Assessment (“DPIA”) introduced by art. 35 of EU Regulation 2016/679 (“GDPR”).

The purpose of the guidelines is anticipating and clarifying to data controllers whether and when a processing of personal data may present a high risk to the rights and freedoms of natural persons so that supervisory authorities and the European Data Protection Board will have a first point of view to draw up a publish list of kind of processing operations which subject to the DPIA (art. 35(4) GDPR). Indeed, the guidelines specify that the list of processing operations described in art. 35(3) GDPR is not exhaustive. Therefore, processing activities that are not covered by paragraph 3 are not necessarily exempted from the DPIA as they may still present similar risks.
In order to identify the processing operations subjected to a DPIA, the following criteria should be considered:
1. Evaluation, including profiling, of personal aspects relating to a natural person, having the scope to analyse or predict aspects of professional performance, economic situation, health, preferences, personal interests, reliability, behaviour, location or movements of the data subject. Examples of such purpose may be a biotechnology company that offers genetic testing to predict disease or health risks or an undertaking that performs behavioural advertising or defines user profiles based on the usage or navigation on its website;
2. Automated processing that has legal or similar significant effects, which may occur when it leads to the exclusion or discrimination of the individual;
3. Systematic monitoring: this may occur when personal data are processed in circumstances where data subjects are not aware of the fact that their data are collected and used or when it is impossible for them to avoid such processing as it happens in public spaces;
4. The processing of sensitive or judicial data;
5. Processing on a large scale: for this purpose it is necessary to consider (i) the number of data subjects involved; (Ii) the volume of data; (iii) the duration of the processing and; (iv) the geographical extent of the processing operations;
6. Datasets that have been matched or combined beyond the reasonable expectations of the data subjects;
7. The processing of data concerning vulnerable data subjects, including workers, minors, the elderly and patients;
8. The innovative use or application of new technological or organizational solutions, i.e., a DPIA will have to be performed for some applications of the Internet of Things;
9. The transfer of data outside the EU;
10. The processing operation prevents data subjects from exercising a right or using a service or a contract (e.g. a processing in public areas that cannot be avoided or that modify or allow access to a service or a contract – for example, when a bank analyses customer’s data to decide whether to grant a loan or not).

As a rule of thumb, a processing that meets at least two of the above criteria must be subject to a DPIA before its beginning unless:
1) it does not present risks to rights and freedoms of the data subjects;
2) it is similar to another processing operation for which a DPIA has already been performed;
3) A Member State law excludes the need of a DPIA;
4) it is included in the optional list drawn up by the relevant supervisory authority pursuant to art. 35(5) GDPR.

Although the obligation to perform a DPIA will be applicable starting from May 2018, A29WP recommends to carry out a DPIA for processing operations which in place before the afore-mentioned date and to proceed with constant updates at least every three years.

The guidelines conclude with two attachments: the former reflects a list of DPIA models currently available; the second provides the criteria that each of the them should include to adequately conduct a DPIA.

If you want to know more click here