EDPB Releases Comments on DPIA Requirements under Article 35.4
The European Data Protection Board has released its Opinions under Article 64 on the draft lists of the supervisory authorities of twenty-two nations concerning the processing operations subject to the requirement of a data protection impact assessment (DPIA) under General Data Protection Regulation (GDPR) Article 35.4.
Lists were submitted by Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands Poland, Portugal, Romania, Slovakia, Sweden, and the United Kingdom. There are 28 members states in the European Union – Spain is noticeably absent from the list of countries that submitted.
Overall, the EDPB wants to ensure a harmonized and consistent approach to cross border data flows. The comments by the Board to each of the twenty-two lists reflect an effort to achieve a consistent list rather than a single list. As a result, the Board requested some Supervisory Authorities add some types of processing to their lists and remove some criteria from other lists. However, the EDPB reinforced the idea that supervisory authorities have a margin of discretion and that its role was to “avoid significant inconsistencies that may affect the equivalent protection of the data subjects.”
The EDPB did request a few clarifications of countries. It clarified that the lists submitted by the Data Protection Authorities were non-exhaustive. Where a DPA did not make this clear, the EDPB requested the addition of this criteria to their list. The EDPB also asked the Supervisory Authorities to acknowledge that the analysis is done based on the Working Party 29 Guidelines WP 248 and that their lists complement and further specify the guidelines.
The EDPB also made clear that it did not comment on local standards that did not impact the offering of goods or monitoring of behavior in several Member States. It also did not take a position where it was unlikely to involve cross-border data transfers between Member States.
Large Scale
The EDPB reviewed the Greek Supervisory Authority definition of large scale (using explicit figures) and rejected it. Instead, the Board reaffirmed endorsement of the WP29 guidelines authorizing organizations to take into account several specific factors in the determination.
Processing that does not result in an obligation to do a DPIA, alone or with another criteria:
– Interfaces of personal electronic device unprotected against unauthorized readout.
– Processing based on a specific legal basis
– International transfers
Processing of these types of personal data are insufficient on their own but sufficient if at least one other criterion is present:
– Using innovative technology.
– Processing under the Article 14.5 exemption.
– Migration from One System to At Least One Other
– Genetic Data
– Biometric Data
– Processing for scientific or historical purposes without consent.
– Article 19 Data Collection via Third Parties (A processing activity under Article 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing) where disclosure is not required because it would be impossible or involve disproportionate effort does not (without at least one other criteria) require a DPIA.)
– Joint Controllers
Areas where a DPIA may be required without a second criterion:
Employee Monitoring
The EDPB believes employee monitoring processing could require a DPIA because it meets the criterion of both vulnerable data subjects and systematic monitoring. The Board also recognized that WP249 remains valid for systematic processing of employee data.
Health Implant Processing
The EDPB asked Belgium, for example, to specify that the DPIA was required for the processing of health data with the aid of an implant. Non-health data processed with the aid of an implant does not require a DPIA without other criterion.
Resource Links
Here are the opinions: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en
Other EDPB Information
The EDPB has also promised to release new guidelines on the territorial scope of GDPR in the next few days. We are closely watching for them to find out if there are any updates on the law’s application to companies located in the United States without a clear European footprint.
EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey