The Privacy Data Protection Authority, under their own decision (published in the Official Gazette General Series no. 269 dated 19th November 2018) has adopted a list of the kind of processing operations subject to a data protection impact assessment, as set forth under Article 35, paragraph 4, of Regulation (EU) no. 2016/679 on the protection of data relating to individuals (better known as the GDPR, or RGPD).
Pursuant to the Article 35 GDPR, when a certain type of data processing - in particular due to the utilisation of new technologies - can pose a high risk for the rights and freedoms of natural persons, the Data Controller, in evaluating the nature, subject, context and purpose of the processing, is to undertake a data protection impact assessment regarding the protection of personal data (DPIA) prior to proceeding with the processing.
Alongside this general provision, within Article 35, paragraph 3, the European legislator has focused on identifying a list (only by way of example) of cases in which a DPIA is required (such as the large-scale systematic surveillance of an area accessible to the public).
The impact assessment guidelines adopted by the Working Group pursuant to Article 29 for the protection of data dated 04.04.2017 (et seq.), identify the following nine criteria to be taken into account for the purposes of the identification of the processing that could present a “high risk”: 1) the evaluation or awarding of a score, inclusive of profiling and prediction, particularly in consideration of “performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her”; 2) automated decision-making process with a legal impact or significantly affecting people in the same way; 3) the systematic monitoring of the interested parties; 4) sensitive data, or data having of a highly-personal nature; 5) large-scale processing data; 6) creating matches or combinations of sets of data; 7) data related to vulnerable Data Subjects; 8) innovative use or application of new technological or organisational solutions; 9) when the processing itself “prevents data subjects from exercising a right or using a service or a contract”.
The list adopted by the Data Protection Authority operates within the same scope, despite initially complicating the interpretative framework somewhat, regarding the relationship between the “norm-based” (Article 35 GDPR), the guidelines referred to and the list itself, as well as the nature of the list not being so clear (in its original version).
As a result of the issues raised by the European Committee for Data Protection, expressed in relation to the list adopted as part of the opinion rendered pursuant to Article 64 para. 1 RGPD, the list was then amended by the Data Protection Authority with the addition, amongst other things, of specifications regarding the relationship between these various sources, clarifying in particular that:
- the regulatory basis is obviously without prejudice in its mandatory scope;
- the list was drawn up in line with the Guidelines indicated, for the purpose of further specifying the content and completion of the same;
- the list is adopted in application of the principle of coherence, to permit uniformity of interpretation on an EU basis, and thus should not be considered exhaustive.
The original version of the list depicted a series of processing means, and in particular those relating to: (a) the processing of biometric data; b) the processing of genetic data; c) the processing operations carried out through the use of innovative technologies, in relation to which the obligation of following a DPIA was foreseen via direct and automatic means.
In this regard, the EU Committee has nonetheless noted that such processing types do not necessarily constitute a high degree of risk; therefore, the DPIA is required only upon the existence of at least one other of the nine criteria listed within the Guidelines.
What’s more, following the transposition of the revelations formulated by the CEPD, two specific processing classes have been entirely amended, having been present in the original version of the list (referencing the hypothesis of “ulterior” personal data processing and that based on a specific legal foundation).
Finally, with regard to the monitoring of employees, as a result of the observations made by the CEPD, clarification has been provided that requires the creation of a DPIA for each form of processing undertaken within the scope of the employment relationship via technological means (also with regard to video surveillance and geo-location systems) from which derives the possibility to remotely control employee activities (in relation to criteria no. 3, 7 and 8 of the Guidelines).