knowledge | 20 November 2018 |

DPC Publishes Finalised List of When a DPIA is Required

The Irish Data Protection Commission (the “DPC”) has published a finalised list of circumstances in which a data protection impact assessment (“DPIA”) will be required, following the adoption by the European Data Protection Board (the “EDPB”) of an opinion on an earlier draft list.

Article 35 of General Data Protection Regulation (the “GDPR”) requires that a DPIA be carried out by a controller where a type of data processing, in particular using new technology, is likely to result in a “high risk to the rights and freedoms of natural persons …” The GDPR sets out a number of specific instances in which controllers must conduct a DPIA, and under Article 35(4), the GDPR further requires national data protection authorities to adopt and publish a list of the kind of processing operations for which a DPIA is required.

Following a public consultation process, the DPC submitted a draft list to EDPB on 11 July 2018. The EDPB adopted an opinion on the draft list, which was published on 3 October 2018. Notably, the EDPB opined that the DPC’s initial draft list was too broad in some areas.

The DPC published their finalised list on 15 November 2018, indicating that DPIAs will be mandatory for the following types of processing operations:

  1. Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to GDPR Article 6(4).
  2. Profiling vulnerable persons including children to target marketing or online services at such persons.
  3. Use of profiling or algorithmic means or special category data as an element to determine access to services or that result in legal or similarly significant effects.
  4. Systematically monitoring, tracking or observing individuals’ location or behaviour.
  5. Profiling individuals on a large-scale.
  6. Processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual or individuals in combination with any of the other criteria set out in Article 29 Working Party Guidelines on DPIAs (which have been adopted by the EDPB) (the “Guidelines”).
  7. Processing genetic data in combination with any of the other criteria set out in the Guidelines.
  8. Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.
  9. Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers.
  10. Large scale processing of personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of individuals.

The fact that a type of processing is absent from this list does not mean that such processing can be carried out without a DPIA. The DPC states “[t]his list does not remove the general requirement to carry out proper and effective risk assessment and risk management of proposed data processing operations nor does it exempt the controller from the obligation to ensure compliance with any other obligation of the GDPR … it is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk.

The DPC has also listed a number of factors that are indicative of a processing operation being likely to result in a high risk, particularly where more than one is present. These factors are as follows:

  • Uses of new or novel technologies.
  • Data processing at a large scale.
  • Profiling/Evaluation – Evaluating, scoring, predicting of individuals’ behaviours, activities, attributes including location, health, movement, interests, preferences.
  • Any systematic monitoring, observation or control of individuals including that taking place in a public area or where the individual may not be aware of the processing or the identity of the data controller.
  • Processing of sensitive data including that as defined in GDPR Article 9, but also other personally intimate data such as location and financial data or processing of electronic communications data.
  • Processing of combined data sets that goes beyond the expectations of an individual, such as when combined from two or more sources where processing was carried out for different purposes or by different data controllers.
  • Processing of personal data related to vulnerable individuals or audiences that may have particular or special considerations related to their inherent nature, context or environment. This will likely include minors, employees, mentally ill, asylum seekers, the aged, those suffering incapacitation.
  • Automated decision-making with legal or significant effects. This includes automatic decision-making where there is no effective human involvement in the process.
  • Insufficient protection against unauthorised reversal of pseudonymisation.

Ultimately, however, a controller is responsible for determining the risk level involved and the DPC advises conducting DPIAs in cases where there is any doubt.

As part of this list, the DPC has also published a list of exemptions to the requirement to carry out a DPIA. These are where:

  • processing operations do not result in a high risk to the rights and freedoms of individuals;
  • processing was previously found not to be at risk by DPIA;
  • processing has already been authorised by supervisory authority;
  • processing pursuant to point (c) or (e) of Article 6(1) already has an existing clear and specific legal basis in EU or Member State law and where a DPIA has already been carried out as part of the establishment of that legal basis as per Article 35(10); and/or
  • a supervisory authority chooses to enumerate the processing operation in accordance with GDPR Article 35(5).

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts