Last April 4, the Article 29 Data Protection Working Party (WP 29) has adopted Guidelines on Data Protection Impact Assessment, first of all defining common criteria for all data controllers, which can support the identification of processing operations that require to carry out a data protection impact assessment. This because it is not compulsory in all cases, but when a type of processing “is likely to result in a high risk to the rights and freedoms of natural persons”, as well as in the cases specifically provided for in section III of art. 35 of the Regulation. It is therefore crucial to define when a processing can be considered concretely risky and thus require an assessment of the impact it would have on personal data protection, since such indication is not contained in the Regulation. In this respect, the guidelines call for a number of issues to be considered, including, for example:
- An evaluation process of the person concerned, including profiling, in particular in order to assess aspects of the economic situation, health, preferences, personal interests, etc.;
- Systematic monitoring of those involved, who in some cases may not be fully aware of who is processing their data and how the processing is being conducted. This applies, for example, to the hypothesis of data collected in public spaces or areas open to the public;
- Carrying out, on a large scale, of processing operations of particular categories of personal data as per art. 9 or data relating to criminal convictions and offenses referred to in art. 10 of the GDPR (event included among those specifically provided by paragraph III of art. 35). This applies, for example, to a hospital that retains patient’s data but cannot apply on the data treatment performed by each physician;
- Data relating to vulnerable subjects, such as children or workers, with reference to the processing provided by their employer. In such a case, an imbalance of power between the controller and the data subject is created, preventing the latter from freely giving consent or exercising the right of opposition;
- Using innovative technological or organizational solutions;
- Transfers of personal data outside the European Union, taking into account the country of destination, the possibility of further transfers or the likelihood of transfers based on “derogations in specific cases” (Article 49 of the GDPR)
The Guidelines published on 4 April also set out the aim of identifying a number of data processing cases in respect of which no impact assessment is required, the definition of common criteria for the methodology to be adopted, as well as identifying the cases in which the opinion of the Supervisory Authority, ex art. 36 paragraph I is required (compulsory if, on the outcome of the assessment, the existence of a high risk is confirmed “in the absence of measures taken by the data controller to mitigate the risk“).
They also contain a focus on data processing still ongoing at the date of the ultimate applicability of the Regulation (May 25, 2018). Although these operations formally would not require an impact assessment, in the above-mentioned guidelines, WP 29 calls for the opportunity to be evaluated. In any case, it is necessary to check the existence of possible variations in the risk envisaged by the processing activities, since in that case it will be necessary to carry out the impact assessment, although the same is not formally mandatory. This occurs, for example, when a new technology is used in relation to a processing already in use or the data are processed for different purposes. In general, WP 29 deemed a good practice to proceed with DPIA at least every three years, a reasonable period of time to evaluate the circumstances of the specific case and any changes occurred and, if necessary, perform a new impact assessment.