In our previous post we addressed the main characteristics of a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the General Data Protection Regulation (EU) no. 2016/679 (GDPR) and the steps to be taken in order to assess whether a DPIA is required or not. At the time, however, there was still a great deal of uncertainty over the cases in which a DPIA was compulsory and automatically required. Pursuant to Article 35, paragraph 4 GDPR, supervising authorities of each EU member state had to adopt and publish a list of the processing operations subject to the requirement for a DPIA and had to communicate such a list to the European Data Protection Board (EDPB). During the last few months, supervisory authorities submitted their draft lists of operations to the EDPB; on 25 September, the EDPB issued several opinions in response to the draft lists received for the purpose of harmonizing them. The EDPB has specifically indicated to each supervisory authority on the one hand what processing had to be included in their lists and, on the other hand, which criteria had to be removed.
The Italian Data Protection Authority's draft list
The Italian Data Protection Authority (Garante per la protezione dei dati personali or "Garante") has submitted to the EDPB its draft list on the circumstances where a DPIA was automatically required. After having analyzed the Garante's draft list, the EDPB in its Opinion no. 12/2018 requested the Garante to specify its non-exhaustive nature. Moreover, as a general remark, the EDPB pointed out that the list provided referred to processing operations which are not limited to data subjects in Italy and therefore, the consistency mechanism shall apply.
Additionally, the EDPB has required the Garante to:
- specify that the duty to carry out a DPIA for the processing of biometric and genetic data should only be triggered if at least one of the other high-risk criteria applies;
- make explicit reference to the criteria specified in WP29 Guidelines WP248 with regard to employment monitoring;
- add to its list an explicit reference to innovative technology and specify that the duty to carry out a DPIA for the processing which involves innovative technology should only be triggered if at least one of the other high-risk criteria applies;
- remove from its draft list the reference to any specific legal basis;
- remove from its draft list the criterion of "further processing".
What is new?
Following to the EDPB's comments, the Garante's has approved a revised list which reflects the EDPB's recommendations above and which now constitutes Annex 1 of Garante's general resolution of 11th October 2018. The revised list specifies that a DPIA must be carried out for the following data processing:
- large-scale evaluation or scoring processing, as well as processing involving the profiling of data subjects and the carrying out of predictive activities, including online activities or activities carried out through apps, relating to "aspects concerning the professional performance, economic situation, health, personal preferences or interests, reliability or conduct, location or position's changes of the data subject";
- automated processing for the purpose of taking decisions which have 'legal effects' or 'significant similar effects' on the data subject, including decisions which prevent the data subject from exercising a right or to use a good or a service or that prevent the data subject in continuing to be party of an existing contract (e.g., screening of a bank's clients using data recorded in a central risk database);
- processing which involves the systematic use of data for the analysis, monitoring or controlling of data subjects, including the collection of data through networks, whether carried out online or through apps, as well as the processing of unique identifiers capable of identifying users of information society services, including web services, interactive television, etc., with respect to usage habits and viewing data for extended periods. This includes metadata processing, e.g., in telecommunications, banks, etc., carried out not only for profiling, but in general for organizational reasons, for reasons of budgetary forecasts, technological upgrades, or for the improvement of networks, as well as to offer anti-fraud, anti-spam, security and other services;
- large-scale processing of data of a highly personal nature: this refers, among others, to data relating to family or private life (such as data relating to electronic communications for which confidentiality must be protected), to data affecting the exercise of a fundamental right (such as location data, the collection of which jeopardizes the freedom of movement) or whose misuse may have a serious impact on the daily life of the data subject (such as financial data which could be used to commit fraud in respect of payments);
- processing in the context of an employment relationship through technological systems (including systems of video-surveillance and of geolocation) from which it is possible to conduct remote monitoring employees' activities;
- non-occasional processing of data relating to vulnerable persons (children, disabled, old people, mentally ill, patients, asylum seekers);
- processing carried out using innovative technologies, even with the application of particular organizational measures (e.g., IoT; aintelligence systems; use of online voice assistants via voice and text scanning; monitoring carried out by wearable devices; proximity tracking such as wi-fi tracking) whenever at least one other criteria identified in Article 29 Working Party's Guidelines on Data Protection Impact Assessment (DPIA) no. 248, rev. 01 applies;
- processing involving large-scale data sharing between different controllers on a large scale using telematic means;
- processing of personal data through means of interconnection, combination or comparison information, including processing activities involving the cross-referencing of digital goods data with payment data (e.g. mobile payment);
- processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR linked to other personal data collected for different purposes;
- systematic processing of biometric data, taking into account, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity;
- systematic processing of genetic data, taking into account, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.
Data controllers must pay great attention to the risks concerning the processing of personal data in relation to the processing that they aim at implementing. In this respect, data controllers must carefully assess whether a certain processing requires them to carry out a DPIA under Garante's above list. Indeed, any failure of data controllers to carry out a DPIA where one should have been required may lead to the application of an administrative fine up to €10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.