Following the EDPB’s Opinion last month, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of processing operations requiring a Data Protection Impact Assessment (DPIA) to be carried out. The list encompasses both national and cross-border data processing operations. It should be read in conjunction with Article 35 of the GDPR and the WP29 DPIA Guidelines.
When is a DPIA required?
The DPC has determined that a DPIA will be mandatory for the following types of processing operations:
- Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected (a compatibility test must also be carried out pursuant to Article 6(4) GDPR).
- Profiling vulnerable persons including children to target marketing or online services at such persons.
- Use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
- Systematically monitoring, tracking or observing individuals’ location or behaviour.
- Profiling individuals on a large-scale.
- Processing biometric data to uniquely identify an individual or enable the identification or authentication of an individual in combination with any of the other criteria set out in the WP29 DPIA Guidelines.
- Processing genetic data in combination with any of the other criteria set out in WP29 DPIA Guidelines.
- Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.
- Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for different purposes or by different controllers.
- Large scale processing of personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of individuals.
The GDPR and WP29 DPIA Guidelines (as endorsed by the European Data Protection Board) also set out a number of situations when it is mandatory for a data controller to carry out a DPIA, including:
- Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the type of processing, such as where the processing involves new technologies (Article 35(1) GDPR).
- Where a data controller uses systematic and extensive profiling with significant effects; processes special category or criminal offence data on a large scale, or systematically monitors publicly accessible places on a large scale (Article 35(3) GDPR).
- Where processing meets two of the criteria listed in the WP29 DPIA Guidelines (as set out on pages 9-11 of those Guidelines). However, in some cases, processing meeting only one of these criteria may require a DPIA.
Factors influencing DPIA preparation
The DPC notes that where certain factors are involved in a processing operation, there is a chance they are likely to result in a high risk, and require a DPIA to be carried out. However, these factors are not prescriptive, and a data controller ultimately is responsible for determining if there is a high risk. Where there is a doubt, conducting a DPIA is advised. These factors include:
- Uses of new or novel technologies.
- Data processing at a large scale.
- Profiling/Evaluation – Evaluating, scoring, predicting of individuals’ behaviours, activities, attributes including location, health, movement, interests, preferences.
- Any systematic monitoring, observation or control of individuals including that taking place in a public area or where the individual may not be aware of the processing or the identity of the data controller.
- Processing of sensitive data including that as defined in GDPR Article 9, but also other personally intimate data such as location and financial data or processing of electronic communications data.
- Processing of combined data sets that goes beyond the expectations of an individual, such as when combined from two or more sources where processing was carried out for different purposes or by different data controllers.
- Processing of personal data related to vulnerable individuals or audiences that may have particular or special considerations related to their inherent nature, context or environment. This will likely include minors, employees, mentally ill, asylum seekers, the aged, those suffering incapacitation.
- Automated decision-making with legal or significant effects. This includes automatic decision-making where there is no effective human involvement in the process.
- Insufficient protection against unauthorised reversal of pseudonymisation.
Are there any exemptions to the requirement for a DPIA?
The DPC has determined that a DPIA is NOT required where:
- Processing operations do not result in a high risk to the rights and freedoms of individuals.
- Processing was previously found not to be at risk by DPIA.
- Processing has already been authorised by supervisory authority.
- Processing already has an existing clear legal basis.
- Performed as part of an impact assessment arising from a public interest basis and where a DPIA was an element of that impact assessment (Article 35(10)).
- Where a supervisory authority chooses to enumerate the processing operation in accordance with Article 35(5).
Keep a record of why a DPIA is or is not necessary
A data controller will need to assess, decide and document whether a DPIA is necessary for each proposed data processing operation. Records of processing operations should include relevant risk information including reasons why a DPIA does or does not need to be carried out, or not. The DPC has emphasised, however, that it is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk.