In it previous post, we analyze the Evaluation concept Impact Statement relating to data protection “EIPD” and the cases in which the GDPR establishes the need to perform this analysis.
In this sense, it is important to pay attention to the provisions of the RGPD but we cannot forget the fact that it is a non-exhaustive list, so it will also be necessary to take into consideration the criteria provided by WG29 in their Guidelines on data protection impact assessment.
¿What are the criteria provided by the WG29 in its Guidelines on data protection impact assessment?
Let's analyze them below:
- Evaluation or scoring: refers to the study and analysis of the interested party. An example can be found in those health insurance companies that give their insured an activity bracelet that works with an insurer's app and that offers rewards or improvements in the premium depending on the subject's activity.
- Automated decision making with significant legal effect or similar. It is based on the processing of personal data in an automated manner (for example through an algorithm) which produces legal effects on the individual.
- Systematic surveillance or monitoring: involves the observation, supervision or control of individuals, including here the systematic control of an area accessible to the public. This happens with those companies that have geolocation technologies and monitor the individual.
- Sensitive data or very personal data. That is, those cases in which special categories of data and/or data related to criminal convictions and infractions are going to be processed.
- Large-scale data processing. This condition is also directly included in the GDPR, which is why we already addressed it in the previous article.
- Association or combination of data sets. It refers to the linking of data from two or more processing activities carried out for different purposes or by different data controllers. An example can be found in companies in the same sector, which for strategic reasons decide to combine their databases.
- Data relating to vulnerable data subjects. In these cases, it is very easy to determine this issue when we talk about minors since this is easily identifiable, but we must not lose focus on the fact that we must take into consideration the power imbalance that exists between the individual and the person responsible, as can happen in the workplace.
- Innovative use or application of technological or organizational solutions. An example may be the use of facial recognition technologies.
- When the processing itself prevents the interested parties from exercising a right, using a service or executing a contract, as can happen when the data have been collected by a person responsible who is different from the one who is going to process them and there is an obligation of professional secrecy regarding them.
Once these criteria have been analyzed, we cannot forget two important questions in order to determine this issue, since The Control Authorities have the obligation to create lists with the types of treatment operations that do require a DPIA. And what does this translate into? In the fact that in addition to reviewing the applicable national legislation, in the case of Spain the LOPDGDD 3/2018, we must also consult the lists published by the different Authorities.
¿How many of these criteria must be met to determine whether it is appropriate to carry out a DPIA??
After knowing the criteria to take into consideration, you may be wondering how many of these must materialize to determine if a DPIA should be performed. In this sense, the WG29 considers that The more criteria are met, the greater the likelihood that it entails a high risk for the rights and freedoms of the data subjects, Therefore, I encourage you to analyze each and every one of them, as well as to review the lists of the different Authorities to determine this issue.
