It is not simple to assess when a DPIA is required, whether it is mandatory or highly recommended; in particular a number of processing operations may give rise to uncertainty. The lists of the processing operations requiring a DPIA—which the supervisory authorities shall adopt within the next months—will help to make the framework clearer. The new Opinion 12/2018 of the EDPB on the draft lists—submitted by the supervisory authorities—gives us a hint of what to expect.

What is a DPIA?

Data protection impact assessment is without a doubt one of the most complex innovations of the General Data Protection Regulation (EU) 2016/679 (GDPR). Article 35 of the GDPR states that "where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks." Actually, what "high risk to the rights and freedoms of natural persons" means in concrete terms is still uncertain. Generally speaking, every time a processing may jeopardize privacy right or other fundamental rights—such as freedom of speech, freedom of thought, prohibition from discrimination, right to liberty, conscience and religion—a DPIA is required. In cases where it is not clear whether a DPIA is required, Article 29 Data Protection Working Party (WP29) recommends that a DPIA is carried out nonetheless as it is a useful tool to help controllers comply with data protection law. In order to clarify which types of processing require a DPIA, GDPR provides a non-exhaustive list, clarifying that a DPIA shall be in particular required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

How to assess whether a DPIA is required?

The DPIA procedure should consist of the following stages as a minimum:

  1. Existence of a procedure ensuring that the data controller is aware of the processing that may require a DPIA: Every time a new processing type is started, a competent person will be responsible for ensuring that the assessment is run;
  2. Preliminary assessment: In order to assess whether a DPIA is required, the following nine criteria should be checked, as indicated by WP29—evaluation or scoring, automated-decision making with legal or similar significant effect, systematic monitoring, existence of sensitive data or data of a highly personal nature, data processed on a large scale, presence of matched or combined datasets, presence of data concerning vulnerable data subjects, innovative use or application of new technological or organizational solutions, processing which in itself "prevents data subjects from exercising a right or using a service or a contract." If at least two of the above criteria are met, a DPIA is highly recommended, if not mandatory
  3. Action in case the assessment shows that a DPIA is required: In this case, the views of data subjects should be sought. Once the DPIA is finalized, documentation of the process must be retained. When residual risks are felt to be high, prior consultation with supervisory authority is required.

The data controller should update the DPIA periodically, especially every time substantial processing changes occur.

What is new? 

Under article 35.4 of the GDPR the supervisory authorities of each member state shall adopt and make public a list of the processing operations subject to the requirement for a DPIA and shall communicate such lists to the EDPB. According to article 64.1 of the GDPR, the EDPB has to issue an opinion where a supervisory authority intends to adopt such list.

During the last months, 22 supervisory authorities have submitted their draft lists of operations subject to the requirement of a DPIA to the EDPB; on 25 September, the EDPB has issued its Opinion 12/2018.

The aim of the Opinion is to harmonize the lists, in order to avoid inconsistencies that may affect the equivalent protection of the data subjects in the different Member States. Therefore, the EDPB provides indications to the supervisory authorities in order to include certain processing in their lists or to remove those criteria, which the EDPB considers as not necessarily creating high risks for data subjects.

With regard to the Italian supervisory authority (Garante per la protezione dei dati personali)'s draft list, the EDPB points out that it refers to processing operations which are not limited to data subjects in this country. Therefore, the consistency mechanism shall apply.

In addition, the EDPB invites the Garante to indicate that the list is not exhaustive and that it is complementary to the Guidelines on the DPIA issued by WP29.

In relation to the specific processing operations included in the Garante's draft list, the table here below summarizes EDPB's remarks:

Garante DPIA list

 

Comment of the EDPB 

 Processing of biometric data

YES 

- Only where the purpose is to identify a natural person uniquely

- Only when it is done in conjunction with at least one other criterion 

 Processing of genetic data

YES

- Only when it is done in conjunction with at least one other criterion

 Further processing

NO

- Criterion to be removed: further processing does not require a DPIA

 Employee monitoring

YES

- Making explicit the reference to the two criteria provided by the WP29 in Guidelines WP248 (i.e. systematic monitoring and data concerning vulnerable data subjects)

 Referencing a specific legal basis

NO

- References to any specific legal basis to be removed

 Processing using new/innovative technology

YES

- Making reference to innovative technology

- Only when it is done in conjunction with at least one other criterion

If you need any further clarification regarding EDPB's Opinion 12/2018 or if you would like to deepen your knowledge of how to conduct a DPIA, we are available to discuss.

This article was co-authored by Fabia Cairoli and Sara Massalongo

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.