A Data Protection Impact Assessment (DPIA) is mandatory for certain types of processing. In the decision of the Autoriteit Persoonsgegevens (AP) published last week, you can see for which processing operations this DPIA obligation applies.
The AP's list builds on the information previously published by the AP on its website. What is new is that a DPIA must also be carried out before the start of any processing of biometric data (e.g. fingerprints).
The AP's list lists various types of processing. For each type of processing, the AP indicates the conditions under which a DPIA is mandatory. These include processing in the area of:
Covert investigation (e.g. covert camera surveillance by employers as part of theft and fraud prevention)
Blacklists (as used by insurance companies, hospitality companies, retail companies, telecom providers, in the healthcare industry and by employment agencies, among others).
Fraud prevention (e.g., by social services or insurers)
Credit scores
Genetic personal data
Health data (e.g. by health or social service institutions or facilities, occupational health and safety services, reintegration companies, insurers)
(flexible) camera surveillance
Monitoring employees (e.g., monitoring e-mail or Internet use, GPS systems or camera surveillance for theft or fraud prevention purposes)
Location data and communication data
Internet of things (e.g., smart televisions, smart home appliances, connected toys, smart cities, smart meters)
Biometric data (for the purpose of identifying a human being)
Large-scale? Systemic?
For most of these processing operations, the DPIA is required only if the processing is large-scale or involves systematic monitoring.
Whether there is "large-scale processing" must be judged by the number of data subjects (whose data are processed), the amount of data, the duration of the processing and the geographical scope. "Systematic", according to the AP, occurs when the processing is done according to a particular system, for example, when the processing is based on an organization's policy. This is easily the case. Camera surveillance or monitoring of Internet traffic in the workplace are examples.
DPIA requirements
A DPIA must meet the following basic requirements:
The intended processing and its purposes are systematically described (including indication of legitimate interest if the processing is based on it)
The necessity and proportionality of the processing is assessed.
Privacy risks to data subjects are assessed.
The intended measures to address those risks (such as safeguards and security measures) and to demonstrate compliance with the AVG are described.
Conducting a DPIA is not a one-time affair. The AP characterizes it as a "continuous process," in which the organization must always continue to monitor whether the data processing changes. For example, if a new technology is applied or if the purpose changes. A new DPIA may then be mandatory. According to the AP, it is therefore advisable to conduct a DPIA periodically, even if the processing has not changed, for example once every three years.
Prior AP consultation
The DPIA clarifies whether the processing poses a high risk to the privacy of the data subject. If that is the case, and if it is not possible to find measures that reduce this high risk ("residual risk"), the organization must consult the AP in advance. The processing may then start only after approval from the AP.
This article can also be found in the Accountability file
