DPC Publishes Finalised List of When DPIA is Required
Article 35 of the General Data Protection Regulations (the “GDPR”) requires a DPIA be carried out by a controller where the type of data processing, in particular using new technology, is likely to result in a “high risk to the rights and freedoms of natural persons”.
The European Data Protection Board “EDPB” adopted an opinion on the draft list, which was published on the 3rd of October 2018. Notably, the EDPB opined that the DPC’s initial draft list was too broad in some areas.
Following from this the DPC published their finalised list on the 15th of November 2018.
- Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to GDPR Article 6(4).
- Profiling vulnerable persons including children to target marketing or online services at such persons.
- Use of profiling or algorithmic means of special category data as an element to determine access to services or that result in legal or similarly significant effects.
- Systematically monitoring, tracking or observing individuals location or behaviour.
- Processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual or individuals in combination with any of the other criteria set out in Article 29 Working Party Guidelines on DPIAs.
- Processing generic data in combination with any of the other criteria set out in the guidelines.
- Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.
- Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for different purposes or by different controllers.
- Large scale processing or personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of the individuals.
The fact that a type of processing is absent from this list does not mean that such processing can be carried out without a DPIA.
The DPC states:
“(t)his list does not remove the general requirement to carry out proper and effective risk assessment and risk management of proposed data processing operations nor does it exempt the controller from the obligation to ensure compliance with any other obligation of the GDPR…. It is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk”.
Ultimately, however, a controller is responsible for determining the risk level involved and the DPC advises conducting DPIAs in cases where there is any doubt.