Regulation on Processing Operations for which a Data Protection Impact Assessment must be carried out

On November 9th 2018, the Austrian Data Protection Authority issued a list stipulating data processing operations that in all cases require a data protection impact assessment ("DPIA"). Under the EU General Data Protection Regulation (GDPR) the controller must carry out a DPIA if certain criteria under Art 35 are met. The so-called "blacklist" issued by national data protection authorities will further specify the relevant scenarios triggering a DPIA obligation without prejudice to the provisions of the GDPR.

However, the Austrian blacklist mainly summarizes the criteria already mentioned in Art 35 and unfortunately still leaves several grey areas as to the interpretation of individual controllers. Failure to carry out a DPIA is subject to fines of up to EUR 10m or 2% of the total worldwide annual turnover.

In more detail:

According to the blacklist a DPIA must be carried out for example in case of data processing in connection with:

  1. a credit rating database, AML- or anti-fraud database, behavioural and marketing profiles, profiling for simplified and automated decision making in the finance, insurance, health and marketing sector;
  2. some specifically listed operations aimed at the observation, supervision or control of natural persons (including bodycams in public and non-public spaces);
  3. innovative technologies or organisational solutions which make it more difficult to assess the impact on the data subject and the social consequences, particularly using artificial intelligence or biometric data (e.g. access controls through a combination of fingerprints and facial scan);
  4. merging and/or cross-checking data sets from several different processing operations, which have been collected for different purposes and/or by different controllers, for processing operations, going beyond the usual expected processing by a data subject, where the use of algorithms makes it possible to take decisions which significantly harm the data subject (e.g. scoring methods for the prediction of the person's future behaviour, fraud-prevention systems in online shops to decide on the payment methods offered etc);

or if at least two of the following criteria are fulfilled:

  1. extensive processing of special categories of personal data pursuant to Art 9 GDPR;
  2. extensive processing of personal data on criminal convictions and offences;
  3. collection of specific location data within the meaning of the Telecommunications Act 2003;
  4. processing data of data subjects in need of protection (e.g. employees, patients, underage person etc);
  5. merging and/or cross-checking data sets from several different processing operations, which have been collected for different purposes and/or by different controllers, if the processing operations, going beyond the usual expected processing by a data subject, are carried out for purposes for which not all the data was collected directly from the data subject.

Exemptions exist in case of data processing in employment relationships where a works council agreement or approval by the employee representatives is in place.

One significant change to the original draft version of the Austrian blacklist is that processing in case of "joint controllers" pursuant to Art 26 GDPR is not automatically subject to a DPIA anymore.

DPIA exclusion due to whitelist

It should be mentioned that the blacklist is not applicable to processing operations which are covered by the so-called whitelist. This whitelist was issued by the Austrian Data protection Authority on May 25th 2018 and lists data processing operations that are excluded from the performance of a DPIA under certain conditions. These are e.g. personnel administration, customer service and marketing for own purposes and video surveillance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.