European privacy regulators have established 9 criteria for assessing whether your proposed processing of personal data poses a high privacy risk to affected individuals. As a rule of thumb, if your processing meets 2 or more of the 9 criteria below, you should conduct a DPIA.
This includes profiling and forecasting, particularly based on characteristics such as a person's job performance, economic situation, health, personal preferences or interests, reliability or behavior, location or travel.
Examples include a bank that determines the creditworthiness of customers (credit scoring), a company that provides DNA testing to consumers to test health risks, and a company that tracks visitors to its Web site and builds profiles of these people based on that information.
These are decisions that have legal effects or similar substantial consequences for the data subject. For example, such data processing may result in people being excluded or discriminated against. Data processing with minor or no effects on people does not fall under this criterion.
For more information, see European privacy regulators' guidelines on automated decision-making and profiling.
This involves the monitoring of publicly accessible spaces, such as with camera surveillance. Here, personal data may be collected without data subjects knowing who is collecting their data and what subsequently happens with it. Moreover, it may be impossible for people to evade this data processing in public spaces.
These are special categories of personal data (see Article 9 of the AVG), such as information about a person's political preferences. They also include criminal data. Finally, this includes data that is generally considered privacy-sensitive, such as electronic communications data, location data and financial data.
The AVG does not define "large-scale data processing. European privacy regulators recommend using the following criteria to determine whether this is the case:
The amount of people whose data is processed;
The amount of data and/or variety of data being processed;
the duration of data processing;
The geographic scope of data processing.
See also: what does the AVG consider to be large-scale processing of personal data?
These are data collections that are linked or combined with each other. For example, databases resulting from two or more different data processing operations with different purposes and/or carried out by different controllers, in a way that data subjects could not reasonably expect.
When processing this type of data, a DPIA may be necessary because there is an unequal balance of power between the data subject and the data controller. As a result, data subjects cannot freely give or refuse consent to the processing of their data. This may include employees, children and patients, for example.
The AVG is clear that a DPIA may be required when using a new technology. This is because such use may involve new ways of collecting and using data, with potentially significant privacy risks.
The personal and societal consequences of using a new technology may even be unknown. A DPIA then helps the person in charge understand and address the risks.
For example, some "Internet of Things" applications can have a major impact on people's daily lives and privacy, requiring a DPIA.
These are data processing operations that result in data subjects:
Unable to exercise a right or;
Unable to use a service or;
unable to secure a contract.
For example, a bank processing personal data to determine whether they want to extend a loan to someone.
Note: these 9 criteria are a guide to assess whether you need to conduct a DPIA. Even if you meet only one or none of these criteria, you must be able to properly justify why you choose not to conduct a DPIA. This is part of the accountability requirement.
