When to Conduct DPIAs?

October 14, 2018

Judging by the 22
on national DPIA lists issued recently, the new European Data
Protection Board (EDPB) is making a good fist of one of its key tasks:
fostering consistent application of the EU General Data Protection Regulation
(GDPR) across the EU under the so-called ‘consistency mechanism’ (Art 63).

This article seeks to provide some insight into the EDPB’s
views on when DPIAs should be conducted, based on those opinions.


Before starting to process personal data in situations
likely to result in high risk to individuals, controllers must conduct data
protection impact assessments (DPIAs) (Art 35(1)). Certain situations are
automatically considered ‘high risk’ (Art 35(3)):

a systematic and extensive evaluation of
personal aspects relating to natural persons based on automated processing,
including profiling, and on which decisions are based that produce legal
effects concerning, or similarly significantly affect, the person;

processing on a large scale of special
categories of data referred or of personal data relating to criminal
convictions and offences referred; or

a systematic monitoring of a publicly accessible
area on a large scale.

In addition, national data protection supervisory
authorities (SAs) must publish national lists of the types of processing
operations that will require DPIAs (Art 35(4)). Where these lists involve processing
activities related to the offering of goods or services to data subjects or the
monitoring of their behaviour in several Member States, or may substantially
affect the free movement of personal data within the EU, the consistency
mechanism must be applied to the draft lists (Art 35(6)).

The EDPB previously issued guidelines seeking, among other
things, to promote the development of a common EU list of processing operations
for which a DPIA is mandatory (Art 35(4)) – WP248 rev.01
(WP248). This guidance lists nine specific criteria to consider when assessing
whether there is a high risk requiring a DPIA:

evaluation or scoring

automated decision-making with legal or similar
significant effect

systematic monitoring

sensitive or highly personal data

large-scale processing

matching or combining datasets

data on vulnerable data subjects

innovative use or application of new
technological or organisational solutions, and

where the processing prevents data subjects from
exercising a right or using a service or contract.

WP248 states that ‘In most cases, a data controller can
consider that a processing meeting two criteria would require a DPIA to be
carried out… However, in some cases, a data controller can consider that a
processing meeting only one of these criteria requires a DPIA’.

The EDPB has now issued opinions on 22 draft national DPIA lists,
approving the opinions by simple majority vote (Art 64(3)). SAs must take these
opinions into ‘utmost account’, notifying the EDPB Chair of whether they will
maintain or amend their draft national lists (Art 64(7)). If an SA (who must
provide relevant grounds) does not intend to follow the EDPB opinion in whole
or in part, then a dispute resolution mechanism applies (Art 64(8), Art 65).

We don’t yet know whether any SA is objecting to the EDPB’s
opinion on its list but, assuming these opinions will stand, it is useful to analyse
the commonalities and patterns that can be gleaned from the 22 opinions, as
they provide insight into the majority EDPB views on the approach to DPIAs. The
national lists to which the relevant opinion relates are footnoted.

WP248 rules!

WP248 is king. National DPIA lists must state that they are based
on WP248, complementing and ‘further specifying’ it,[1]
and that they are non-exhaustive.[2]
They should make clear that, in most cases, only processing meeting at least two criteria require a DPIA.[3]
Requiring a DPIA for ‘significant’ risk adds nothing to the GDPR’s ‘high risk’ threshold,
and should be deleted.[4]
Attempts to interpret ‘large scale’ by specifying numeric figures[5]
met with short shrift – again, WP248 rules, and its factors for assessing ‘large
scale’ should be followed.

No DPIA required

Helpfully for controllers, the EDPB opined that SAs cannot
require DPIAs simply because one of
these situations applies:

joint controllership[6]

processing relying on a particular legal basis[7]

‘further processing’[8]

international transfer[9]

conducting processing operations through territorially-distributed
or cross-border information systems, or

processing in the context of ‘the collection of
personal data via interfaces of personal electronic devices which are not
protected against unauthorized readout’.[10]

Employee monitoring

The EDPB disagreed with lists requiring a DPIA specifically
for employee monitoring.[11]
SAs should simply refer to the WP248 criteria, which could require DPIAs for
employee monitoring in any event in light of the criteria of vulnerable data subjects and systematic[12]

Combined with another

A national list may require a DPIA for one of the following,
provided at least one other criterion
applies (presumably criterion from the WP248 list of nine criteria, rather than
from the national list, but unfortunately this was unclear):

processing biometric
data for the purpose of uniquely
an individual (processing biometric data for other purposes
would not be enough)[13]

processing genetic

processing location

processing using ‘innovative’ technology (just using ‘new’ technology alone is not

processing personal data collected by third parties[17]

where the controller is exempted from giving a privacy notice to the data subject regarding
personal data obtained from a third party
in certain situations[18]

processing personal data for scientific or historical purposes,[19]

from one system to another.[20]

The first three, A-C, are of course subsets of the ‘sensitive
data’ criterion listed in WP248. The EDPB has further encouraged some SAs to add
the following types of processing specifically to their lists, where at least
one other criterion applies:

biometric data for the purpose of uniquely
identifying an individual[21]

genetic data,[22]

location data.[23]

D (technologies) is already a WP248 criterion, but the EDPB has
sought to ensure that the focus is on ‘innovative’ rather than just ‘new’, and
that (contrary to what the UK and some other Member State SAs initially felt) use
of innovative technology alone should
not be enough to require a DPIA. This is a laudable, forward-thinking gloss on Art
35’s otherwise seemingly somewhat technophobic slant.

E to H are not listed in the WP248 critieria. E and F
highlight SA concerns with personal data obtained from third parties, and G
perhaps concerns regarding the breadth of the processing that could be allowed
for scientific or historical purposes. H was in only one Member State list, but
given its approval (when combined with another criterion) it is not impossible
that other Member States could add it.


Some lists required a DPIA for processing of personal data
conducted with the aid of an implant, but the EDPB has stated that DPIAs for such
processing should be required only in relation to health data (ie processing non-health personal data using an
implant does not require a DPIA).[24]


The above suggests that if an SA adds any of the ‘Combined’
items above to its national list, the EDPB would approve, and indeed it would
encourage adding the specific types of sensitive data mentioned above (genetic
data etc).

The 22 opinions further indicate that controllers proposing
to initiate any processing in the ‘Combined’ category above should carefully
consider whether to conduct a DPIA if another WP248 criterion also applies –
even if their own national list does not stipulate it.

Conversely, the ‘No DPIA required’ heading should assist
controllers in arguing against SAs who seek to insist that one of those types
of processing alone would require a DPIA.

The author is Dr W
Kuan Hon. Views expressed are Kuan’s alone and not necessarily those of any
organisation with whom she may be associated.

Licence: Creative Commons BY UK

Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany
(Federation, Lander), Greece, Hungary, Ireland, Italy, Latvia, Lithuania,
Malta, Poland, Portugal, Romania, Slovakia, Sweden, UK.

Austria, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland,
Italy, Latvia, Lithuania, Malta, Poland, Romania, Slovakia.



Czech Republic, Estonia, Greece.

Austria, Bulgaria.

Bulgaria, Italy.

Germany (Federation, Lander), Ireland, Italy, Malta, Portugal, Slovakia.

Czech Republic, Latvia

Germany (Federation, Lander), Portugal.

Belgium, Czech Republic, Estonia, France, Hungary, Ireland, Italy, Latvia,
Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden, UK

See WP249
on data processing at work, which the EDPB emphasised still applies.

Finland, France, Hungary, Ireland, Italy, Lithuania, Malta, Netherlands,
Portugal, UK.

Estonia, Finland, France, Hungary, Ireland, Italy, Latvia, Lithuania, Malta,
Poland, UK.

Bulgaria, France, Ireland, Netherlands, Portugal, UK.

Italy, Lithuania, Malta, Portugal, Slovakia, UK. The Czech Republic had an
interesting twist in its list, referring to the first use/application of
innovative technology on its territory. The EDPB asked for this qualifier to be
removed, as ‘high risk is not correlated necessarily with first application’.

Austria, Germany (Federation, Lander), Hungary.

Austria, Germany (Federation, Lander), Hungary. Where personal data has not
been obtained from the data subject but from a third party, the GDPR requires
certain minimum information to be notified to the data subject, for
transparency (Art 14). However, this information need not be given in certain
situations, including where it proves impossible or would involve a
disproportionate effort to provide the information, particularly for processing
for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes or insofar as the notification
obligation is likely to render impossible or seriously impair the achievement
of that processing’s objectives; where the obtaining or disclosure is expressly
laid down by EU or Member State law to which the controller is subject and
which provides appropriate measures to protect the data subject’s legitimate
interests; or where the personal data must remain confidential subject to an
obligation of professional secrecy regulated by EU or Member State law,
including statutory obligation of secrecy (Art 14(5)(b)-(d)). Some SAs had
stipulated that a DPIA would be required in any of the above situations
exempting a controller from notifying the data subject. However, the EDPB
considers that a DPIA should be required here only if there is also at least one other criterion.

Latvia, Lithuania, Slovakia.


Estonia, Germany (Federation, Lander), Latvia, Poland.


Bulgaria, Finland, Hungary, Latvia, Poland, Slovakia.

Belgium, Greece, Portugal.