When to conduct a DPIA under GDPR: EDPB and the consistency mechanism at work.
Judging by the 22 opinions on national DPIA lists issued recently, the new European Data Protection Board (EDPB) is making a good fist of one of its key tasks: fostering consistent application of the EU General Data Protection Regulation (GDPR) across the EU under the so-called ‘consistency mechanism’ (Art 63).
This article seeks to provide some insight into the EDPB’s views on when DPIAs should be conducted, based on those opinions.
Before starting to process personal data in situations likely to result in high risk to individuals, controllers must conduct data protection impact assessments (DPIAs) (Art 35(1)). Certain situations are automatically considered ‘high risk’ (Art 35(3)):
(a) a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning, or similarly significantly affect, the person;
(b) processing on a large scale of special categories of data referred or of personal data relating to criminal convictions and offences referred; or
(c a systematic monitoring of a publicly accessible area on a large scale.
In addition, national data protection supervisory authorities (SAs) must publish national lists of the types of processing operations that will require DPIAs (Art 35(4)). Where these lists involve processing activities related to the offering of goods or services to data subjects or the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the EU, the consistency mechanism must be applied to the draft lists (Art 35(6)).
The EDPB previously issued guidelines seeking, among other things, to promote the development of a common EU list of processing operations for which a DPIA is mandatory (Art 35(4)) — WP248 rev.01 (WP248). This guidance lists nine specific criteria to consider when assessing whether there is a high risk requiring a DPIA:
1. evaluation or scoring
2. automated decision-making with legal or similar significant effect
3. systematic monitoring
4. sensitive or highly personal data
5. large-scale processing
6. matching or combining datasets
7. data on vulnerable data subjects
8. innovative use or application of new technological or organisational solutions, and
9. where the processing prevents data subjects from exercising a right or using a service or contract.
WP248 states that ‘In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out… However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA’.
The EDPB has now issued opinions on 22 draft national DPIA lists, approving the opinions by simple majority vote (Art 64(3)). SAs must take these opinions into ‘utmost account’, notifying the EDPB Chair of whether they will maintain or amend their draft national lists (Art 64(7)). If an SA (who must provide relevant grounds) does not intend to follow the EDPB opinion in whole or in part, then a dispute resolution mechanism applies (Art 64(8), Art 65).
We don’t yet know whether any SA is objecting to the EDPB’s opinion on its list but, assuming these opinions will stand, it is useful to analyse the commonalities and patterns that can be gleaned from the 22 opinions, as they provide insight into the majority EDPB views on the approach to DPIAs. The national lists to which the relevant opinion relates are footnoted.
WP248 is king. National DPIA lists must state that they are based on WP248, complementing and ‘further specifying’ it, and that they are non-exhaustive. They should make clear that, in most cases, only processing meeting at least two criteria require a DPIA. Requiring a DPIA for ‘significant’ risk adds nothing to the GDPR’s ‘high risk’ threshold, and should be deleted. Attempts to interpret ‘large scale’ by specifying numeric figures met with short shrift — again, WP248 rules, and its factors for assessing ‘large scale’ should be followed.
No DPIA required
Helpfully for controllers, the EDPB opined that SAs cannot require DPIAs simply because one of these situations applies:
· joint controllership
· processing relying on a particular legal basis
· ‘further processing’
· international transfer
· conducting processing operations through territorially-distributed or cross-border information systems, or
· processing in the context of ‘the collection of personal data via interfaces of personal electronic devices which are not protected against unauthorized readout’.
The EDPB disagreed with lists requiring a DPIA specifically for employee monitoring. SAs should simply refer to the WP248 criteria, which could require DPIAs for employee monitoring in any event in light of the criteria of vulnerable data subjects and systematic monitoring.
Combined with another criterion
A national list may require a DPIA for one of the following, provided at least one other criterion applies (presumably criterion from the WP248 list of nine criteria, rather than from the national list, but unfortunately this was unclear):
A. processing biometric data for the purpose of uniquely identifying an individual (processing biometric data for other purposes would not be enough)
B. processing genetic data
C. processing location data
D. processing using ‘innovative’ technology (just using ‘new’ technology alone is not enough)
E. processing personal data collected by third parties
F. where the controller is exempted from giving a privacy notice to the data subject regarding personal data obtained from a third party in certain situations
G. processing personal data for scientific or historical purposes, or
H. migration from one system to another.
The first three, A-C, are of course subsets of the ‘sensitive data’ criterion listed in WP248. The EDPB has further encouraged some SAs to add the following types of processing specifically to their lists, where at least one other criterion applies:
· biometric data for the purpose of uniquely identifying an individual
· genetic data, or
· location data.
D (technologies) is already a WP248 criterion, but the EDPB has sought to ensure that the focus is on ‘innovative’ rather than just ‘new’, and that (contrary to what the UK and some other Member State SAs initially felt) use of innovative technology alone should not be enough to require a DPIA. This is a laudable, forward-thinking gloss on Art 35’s otherwise seemingly somewhat technophobic slant.
E to H are not listed in the WP248 critieria. E and F highlight SA concerns with personal data obtained from third parties, and G perhaps concerns regarding the breadth of the processing that could be allowed for scientific or historical purposes. H was in only one Member State list, but given its approval (when combined with another criterion) it is not impossible that other Member States could add it.
Some lists required a DPIA for processing of personal data conducted with the aid of an implant, but the EDPB has stated that DPIAs for such processing should be required only in relation to health data (ie processing non-health personal data using an implant does not require a DPIA).
The above suggests that if an SA adds any of the ‘Combined’ items above to its national list, the EDPB would approve, and indeed it would encourage adding the specific types of sensitive data mentioned above (genetic data etc).
The 22 opinions further indicate that controllers proposing to initiate any processing in the ‘Combined’ category above should carefully consider whether to conduct a DPIA if another WP248 criterion also applies — even if their own national list does not stipulate it.
Conversely, the ‘No DPIA required’ heading should assist controllers in arguing against SAs who seek to insist that one of those types of processing alone would require a DPIA.
The author is Dr W Kuan Hon. Views expressed are Kuan’s alone and not necessarily those of any organisation with whom she may be associated.
Licence: Creative Commons BY UK
 Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany (Federation, Lander), Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Poland, Portugal, Romania, Slovakia, Sweden, UK.
 Austria, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Italy, Latvia, Lithuania, Malta, Poland, Romania, Slovakia.
 Czech Republic, Estonia, Greece.
 Austria, Bulgaria.
 Bulgaria, Italy.
 Germany (Federation, Lander), Ireland, Italy, Malta, Portugal, Slovakia.
 Czech Republic, Latvia
 Germany (Federation, Lander), Portugal.
 Belgium, Czech Republic, Estonia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden, UK
 See WP249 on data processing at work, which the EDPB emphasised still applies.
 Finland, France, Hungary, Ireland, Italy, Lithuania, Malta, Netherlands, Portugal, UK.
 Estonia, Finland, France, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Poland, UK.
 Bulgaria, France, Ireland, Netherlands, Portugal, UK.
 Italy, Lithuania, Malta, Portugal, Slovakia, UK. The Czech Republic had an interesting twist in its list, referring to the first use/application of innovative technology on its territory. The EDPB asked for this qualifier to be removed, as ‘high risk is not correlated necessarily with first application’.
 Austria, Germany (Federation, Lander), Hungary.
 Austria, Germany (Federation, Lander), Hungary. Where personal data has not been obtained from the data subject but from a third party, the GDPR requires certain minimum information to be notified to the data subject, for transparency (Art 14). However, this information need not be given in certain situations, including where it proves impossible or would involve a disproportionate effort to provide the information, particularly for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or insofar as the notification obligation is likely to render impossible or seriously impair the achievement of that processing’s objectives; where the obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law, including statutory obligation of secrecy (Art 14(5)(b)-(d)). Some SAs had stipulated that a DPIA would be required in any of the above situations exempting a controller from notifying the data subject. However, the EDPB considers that a DPIA should be required here only if there is also at least one other criterion.
 Latvia, Lithuania, Slovakia.
 Estonia, Germany (Federation, Lander), Latvia, Poland.
 Bulgaria, Finland, Hungary, Latvia, Poland, Slovakia.
 Belgium, Greece, Portugal.