PUODO has updated the list of processing operations requiring an impact assessment on data protection
The updated list of data processing requiring data protection impact assessment (DPIA) takes into account the reservations that the European Data Protection Board has submitted to the initial list. The list is intended to help administrators to assess for which data processing DPIA should be carried out.
- What is the impact assessment for data protection?
Impact assessment for data protection is part of the risk management procedure related to data protection. It is carried out for those processes which are burdened with a possibility of a significant risk of violating the rights or freedoms of natural persons. GDPR does not define the very concept of DPIA, but it mentions what should be included in it:
- a systematic description of planned processing operations and processing purposes, including, where applicable, legitimate interests pursued by the controller;
- an assessment of whether processing operations are necessary and proportionate to the objectives;
- c) an assessment of the risk of violation of the rights or freedoms of data subjects referred to in paragraph 1; and
- measures planned to address risks, including safeguards, and security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the data subject and other persons involved.
There is no one valid template for conducting DPIA. Administrators can, for example, use the PIA tool developed by the French data protection authority, available, for example, on the PUODO (President of Polish Office for Data Protection) website. For some PIA administrators, it may turn out to be a too complicated program, so it is worth treating it as a starting point for developing your own documentation.
- Which processing operations of personal data require DPIA?
Generally speaking, DPIA should be carried out compulsorily for those types of processing which, due to their nature, scope, context and objectives, are likely to cause a significant risk of violating the rights or freedoms of natural persons.
GDPR directly lists 4 situations when DPIA is necessary:
- the processing operation consists in a systematic, comprehensive assessment of personal factors pertaining to natural persons, which is based on automated processing, including profiling, and is the basis for decisions that produce legal effects in a natural person or in a similar manner significantly affecting a natural person;
- large-scale special categories of personal data referred to in art. 9 par. 1 GDPR (so-called sensitive data), or personal data concerning convictions and violations of law, as mentioned in art. 10 of GDPR; or
- there is systematic monitoring of publicly available places on a large scale,
- the processing operation falls within the list of processing requiring an impact assessment for data protection developed by the supervisory authority (so in each country this list may be different).
Other data processing operations may also be subject to impact assessment for data protection, however the decision in this respect belongs to the administrator.
- What processing operations have been included in the updated list of PUODO?
The list contains 12 criteria / types of processing operations, which according to the authority require DPIA – which is 3 more than the original list from last year. If the data processing operation examined by the data controller is at least 2 of the specified criteria, DPIA is obligatory. If at least one criterion is met, the data controller may consider that a DPIA should be performed. For each of the criteria, for ease of use, possible areas of its application and sample processing activities were indicated. However, they are only of an auxiliary nature and should not be treated as an exhaustive list of processing operations.
The current list of processing operations requiring an impact assessment on data protection includes the following items:
- evaluation or assessment, including profiling and prediction (behavioral analysis) for purposes that have negative legal, physical, financial or other effects on natural persons (e.g. behavioral advertising),
- automated decision making that has legal, financial or similar effects (e.g., customer purchase preferences based on loyalty programs to adjust the rebate offer),
- systematic monitoring on a large scale of public places using elements of recognizing features or properties of objects that will be in the monitored space (e.g. monitoring employees in the workplace based on face recognition technology),
- processing of special categories of personal data and concerning convictions and offenses (e.g. applications collecting information about health condition with the use of bands registering physical activity),
- the processing of biometric data only for the purpose of identifying a natural person or for the purpose of access control (e.g. securing entry to the server room by the employee’s authorization system by means of a thumbprint),
- processing of genetic data (e.g. DNA tests carried out by clinics),
- data processed on a large scale (both due to the number of people, as well as the scope of data or processing, e.g. social media),
- conducting comparisons, evaluation or inference based on the analysis of data obtained from various sources (e.g. creating customer profiles for marketing purposes by compiling data from different collections),
- processing of data concerning persons whose assessment and services provided to them depend on entities or persons who have supervisory and / or assessing rights (e.g. whistleblowing programs in workplaces),
- innovative use or application of technological or organizational solutions (e.g. interactive toys),
- when processing in itself prevents data subjects from exercising their right or using a service or contract (e.g. making credit decisions based on data contained in debtors’ registers),
- processing of location data (e.g. location of employees using GPS).