The Personal Data Authority (AP) has compiled a list of processing operations for which conducting a data protection impact assessment (DPIA) is always mandatory before you start processing.
Note: Your processing must always comply with the General Data Protection Regulation (GDPR). If your proposed processing is on this list, you will always need to verify that you have a valid basis for this processing. Do you not have a valid basis? Then you may not process the personal data. Regardless of the results of any DPIA.
This list is aligned at the EU level. Periodically, EU privacy regulators review whether the list needs to be updated.
The list of types of processing for which a DPIA is mandatory includes the terms 'large-scale', 'systematic' and 'systematic'. The term 'large scale' has been further fleshed out by EU privacy regulators.
At the European level, the concepts of 'systematic' and 'systematic' have not (yet) been further defined. Where the list below mentions 'systematic' or 'systematic', you should think of processing that takes place according to a certain system.
A processing of personal data included in the organization's systems or policies should be considered systematic or systematic processing. Data processing that is ad hoc or occasional should not be considered systematic or systematic processing.
1. Covert investigation
Large-scale processing and/or systematic monitoring of personal data where information is collected with investigation, without informing the data subject in advance.
For example, covert investigations by private investigation agencies, anti-fraud investigations, and Internet investigations for such purposes as online copyright enforcement.
A DPIA is also required in the case of covert camera surveillance by employers to combat employee theft or fraud. This sometimes also requires a DPIA because of the unequal balance of power between employee and employer.
2. Blacklists
Processing in which personal data on criminal convictions and offenses, data on unlawful or nuisance behavior or data on bad payment behavior are processed by organizations or individuals and shared with third parties.
For example, blacklists or warning lists, such as those used by insurance companies, hospitality companies, retail companies and telecom providers. And also blacklists that deal with unlawful behavior by employees, for example in health care or by employment agencies.
3. Fraud prevention
Large-scale processing and/or systematic monitoring of (special) personal data for fraud prevention purposes. For example, fraud control by social services or by fraud departments of insurers.
4. Credit scores
Large-scale processing and/or systematic monitoring of personal data leading to or using estimates of the creditworthiness of natural persons, expressed, for example, in a credit score.
5. Financial situation
Large-scale processing and/or systematic monitoring of financial data from which people's income or assets or spending patterns can be deduced. For example, statements of bank transfers, statements of the balances of a person's bank accounts or statements of mobile or PIN payments.
6. Genetic personal data
Large-scale processing and/or systematic monitoring of genetic personal data. For example, DNA analyses to map personal characteristics, bio-databases.
7. Health data
Large-scale processing of data on health (e.g. by institutions or facilities for health care or social services, occupational health and safety services, reintegration companies, (special) educational institutions, insurers and research institutes), including large-scale electronic exchange of data on health.
Please note that individual doctors and individual healthcare professionals are exempt from the obligation to conduct a DPIA under recital 91 of the AVG.
8. Collaborative partnerships
The sharing of personal data in or by collaborative partnerships in which municipalities or other authorities exchange with other public or private parties special personal data or personal data of a sensitive nature, such as data on health, addiction, poverty, problematic debts, unemployment, social problems, criminal data, involvement of youth care or social work. For example, in neighborhood teams, safety houses or information hubs.
9. Camera surveillance
Large-scale processing and/or systematic monitoring of publicly accessible areas with cameras, webcams or drones.
10. Flexible camera surveillance
Large-scale and/or systematic use of flexible camera surveillance. For example, cameras on clothing or helmet of fire or ambulance personnel, dashcams used by emergency services.
11. Monitoring employees
Large-scale processing and/or systematic monitoring of personal data to monitor employee activities. For example, monitoring of e-mail and Internet use, GPS systems in (truck) cars of employees or camera surveillance for theft and fraud prevention.
12. Location data
Large-scale processing and/or systematic monitoring of location data of or traceable to natural persons. For example, by (scanning) cars, navigation systems, telephones, or processing of location data of public transport passengers.
13. Communications data
Large-scale processing and/or systematic monitoring of communications data including metadata traceable to natural persons, unless and to the extent necessary to protect the integrity and security of the network and service of the provider concerned or the end user's peripheral device.
14. Internet of things
Large-scale processing and/or systematic monitoring of personal data generated by Internet-connected devices capable of sending or exchanging data via the Internet or otherwise. For example, 'internet of things' applications, such as smart televisions, smart home appliances, connected toys, smart cities, smart energy meters, medical devices, etc.
15. Profiling
Systematic and comprehensive assessment of personal aspects of natural persons based on automated processing (profiling). For example, assessment of professional performance, student performance, economic situation, health, personal preferences or interests, reliability or behavior.
16. Observation and influencing of behavior
Large-scale processing of personal data involving the systematic observation or influencing of behavior of natural persons through automated processing, or data collected and/or recorded thereon, including data collected for the purpose of online behavioral advertising.
17. Biometric data
Large-scale processing and/or systematic monitoring of biometric data for the purpose of identifying a natural person.
Note: Under the AVG, the processing of biometric data for the purpose of uniquely identifying a natural person is in principle prohibited. In the Netherlands, additional conditions are set in the AVG Implementation Act. The processing of biometric data is only allowed if the processing is strictly necessary for authentication or security purposes.
