European Union: Processing Activities Subject To A Data Protection Impact Assessment

Our GDPR team discusses the opinion issued by the European Data Protection Board on the list of processing activities that are subject to a requirement of data protection impact assessment.

The European Data Protection Board (the EDPB), an independent body which ensures the consistent application of the GDPR throughout the European Union and promotes cooperation between the EU's data protection authorities, has adopted an opinion on the list of processing activities that are subject to a requirement of data protection impact assessment (the DPIA). The opinion aims to define a consistent core of processing activities that are recurrent in the lists of processing activities provided by the supervisory authorities (the SA) in the European Union, in relation to which a DPIA has to be carried out in a harmonised way.

When is a DPIA needed?

The GDPR renders a DPIA mandatory for the controller where processing is "likely to result in a high risk to the rights and freedoms of natural persons". The GDPR does not impose a single or exhaustive list of operations that require a DPIA and, therefore, does not ensure consistency among Member States. In order to achieve consistency in terms of when to carry out a DPIA, the SAs are required to include some types of processing in their lists, to remove some criteria which the EDPB does not consider as necessarily creating high risks for data subjects, and they are required to use such criteria in a harmonised manner. This aims at generating a consistent DPIA requirement for a limited number of types of processing operations that will be carried out in a harmonised way in the European Union.

While the competent SAs should cooperate in drafting their lists, this does not mean that the lists should be identical. The competent SAs have a margin of discretion with regard to the national or regional context and should take into account their local legislation.

Assessment of the draft list of the Cypriot SA

The Office of the Commissioner of Personal Data Protection in Cyprus, has submitted its draft list of processing activities to the EDPB, for which the decision on completeness was taken on 5 April 2019. The draft list submitted by the Cypriot SA relates to the offering of goods or services to data subjects and relates to monitoring their behaviour in several Member States. Analysis of the list of processing activities is carried out in terms of the following:

Reference to the Guidelines.

Working Party 29 Guidelines on Data Protection Impact Assessment, determine whether the processing is "likely to result in a high risk" for the purposes of the GDPR and constitute a core element for ensuring consistency across the European Union. They aim to clarify the notion of DPIA and provide criteria for the lists to be adopted by Data Protection Authorities. It was recommended in the Opinion that the document of the Cypriot SA should be amended to contain a statement that the list is based on these Guidelines and that it complements and further specifies the Guidelines.

Monitoring Employees. 

The Opinion notes that, due to its specific nature, if the employee monitoring processing is carried out in relation to personal data concerning vulnerable data subjects and is done systematically, then employee monitoring could require a DPIA. Given that, the list submitted by the Cypriot Supervisory Authority already envisages this type of processing as requiring a DPIA, the Opinion solely recommends making explicit reference to the abovementioned criteria.

Biometric and Genetic Data. 

The list of the Cypriot SA anticipates a large-scale processing of biometric and genetic data which requires a DPIA. At this point, the Opinion notes that the list aligns with the aim of consistency with other Member States. However, it should be mentioned that, the phrasing may be misleading as such that the processing of biometric data must take place cumulatively with genetic data, whereas it should be a disjunctive condition. Therefore, it is recommended that the phrasing to be changed to 'biometric or genetic data'.

Location Data.

The list submitted by the Cypriot SA does not contain a reference to the processing of location data as opposed to the majority of the lists submitted to the EDPB. For the purposes of consistency, the Cypriot SA is encouraged to include the processing of location data in its list.

The full text of the opinion can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.