- Art. 35 GDPR requires a data protection impact assessment (DPIA) in advance if there is likely to be a high risk for data subjects, typically in the case of profiling, sensitive data or systematic monitoring.
- The working group recommends methodical checklists, repetition at least every three years, consultation with the supervisory authority if a high risk remains and comprehensive documentation.
The GDPR provides in Art. 35 that a data protection impact assessment (DPIA) must be carried out if a data processing “expected to be high risk” has as a consequence. The Article 29 Working Group has now approved the draft of the Working Paper 248 on DSFA (PDF) published with various clarifications on Art. 35 GDPR. This working paper is of particular importance because the Article 29 Working Party (which will be replaced by the European Committee under Art. 68 GDPR with the GDPR) is composed of representatives of the Supervisory authorities of the member states composed – i.e. of those authorities that are represented by Positive and negative lists should clarify when a DSFA is to be performed.
Comments on the draft can be submitted until May 23, 2017.
When should a DSFA be performed?
A DSFA must always be carried out if a processing operation is
- likely to result in a high level of risk,
- has not yet been the subject of a DSFA,
- and is not based on a legal basis for which a general impact assessment has already been carried out at the time of its enactment.
Pick-up criteria: “expected high risk
The working group comments, among other things, on the question of when a DIA is to be carried out, i.e. when a high risk is to be expected. In this context, the following are to be considered (primarily based on Art. 35 (3) GDPR) consider the following circumstances as indications of a high risk:
- Scoring, profiling, evaluation, e.g. assessment of creditworthiness by a bank, behavioral marketing, etc.,
- automated case-by-case decisions (a separate working paper on profiling will provide clarifications here),
- systematic monitoring,
- Processing of sensitive data,
- large-scale data processing operations (attention should be paid to the number of data subjects, the amount of data processed and the number of data categories, then to the duration of the processing and its geographical scope),
- the merging or reconciliation of data files, unless this is to be expected,
- the processing of data of particularly vulnerable persons,
- Novelty of processing operations, use of new technologies (e.g. fingerprint sensors or facial recognition),
- Transfer of personal data to recipients outside the EU,
- Processing operations that make it more difficult for data subjects to exercise their rights or to benefit from a service, for example, the assessment of creditworthiness by a bank before granting a loan.
As a rule of thumb, a DSFA is required if at least two of the above points coincide (special circumstances reserved).
The following examples are given for Processing operations for which a DIA would be required:
- A hospital processing its patients’ genetic and health data (hospital information system)
- The use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.
- A company monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc.
- The gathering of public social media profiles data to be used by private companies generating profiles for contact directories.
On the other hand No DSFA required:
- An online magazine using a mailing list to send a generic daily digest to its subscribers.
- An e‑commerce website displaying advertisements for vintage car parts involving limited profiling based on past purchases behavior on certain parts of its website.
Of course, a controller is always required to keep an eye on the risks of processing (Article 32 GDPR) and also to document them (Article 30 (1) (g) GDPR). This also applies to risks that are not high.
Transitional law
According to the wording of Art. 35 GDPR, there is an obligation to perform a DIA only for future processing operations. Under transitional law, the obligation to perform a DIA can therefore be only concern processing operations that have not yet started on May 25, 2018. However:
- The working paper “strongly” recommends that a DIA also be carried out for processing operations that are already in progress. In doing so, the working group relies, among other things, on Art. 35 (11) GDPR, according to which a controller may have to check whether a processing operation is carried out in accordance with the DIA.
- Ongoing processing operations started after May 25, 2018. be significantly changedFurthermore, the data processing operations are to be considered as new processing operations for which a DIA may have to be performed.
- The same applies if the Risk of an ongoing processing after May 25, 2018 increased by the context of the processing.
Implementation of a DSFA
Time
Where applicable, a DIA must be performed before the risky processing is started (Art. 35(1) GDPR, “prior”). The working paper recommends that the DIA be carried out as early as possible, even if not all details of the processing have been determined. In the event of changes to the processing, the DIA should be adapted. In the view of the working group, a DIA should therefore not be carried out on an ad hoc basis, but rather as an instrument for ongoing risk monitoring and design:
In some cases the DPIA will be an on-going process, for example where a processing operation is dynamic and subject to ongoing change. Carrying out a DPIA is a continual process, not a one-time exercise.
Responsibility
The obligation to perform a DSFA applies to the Responsible (Art. 35 (1) GDPR), who of course does not have to conduct the DIA personally. The data controller must obtain the opinion of the data protection officer (para. 2), who also monitors the DIA. A processor involved in the processing in question should assist the controller in this regard.
In addition, according to Art. 35 para. 9, “where appropriate, the standpoint of the persons concerned or their Representative”. To this end, the working group recommends documenting whether the point of view has been obtained, what the result is and what considerations, if any, have led to not following this point of view. Furthermore, the point of view could not only be obtained by a survey, but also, for example, by a study.
Procedure and content
The GDPR does not contain any precise requirements as to the manner in which a DSFA must be performed. Art. 35 (7) only contains the following requirements for the content of the DSFA:
(a) a systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
(c) an assessment of the risks to the rights and freedoms of the data subjects referred to in paragraph 1; and
(d) the mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.
Methodologically, the DSFA required the following:
- Assessment of the specific nature of the processing in question, its scope, context and purposes;
- Assessment of risks, especially probability of occurrence and severity of possible injury;
- Minimizing risk, ensuring compliance with the GDPR and documentation.
The DSFA could typically take place in the following steps:
However, the specific procedure is largely left to the discretion of the responsible party. The following is essential:
However, whatever its form, a DPIA must be a genuine assessment of risks, allowing controllers to take measures to address them.
Annex 2 of the working paper contains a Compilation of the required content of a DSFA in the form of a checklist.
Publication of the DSFA
The GDPR does not provide for an obligation to publish the DSFA or its outcome. However, the working group recommends that publication in whole or in part should at least be considered, especially if there are risks to the public.
Repetition and review
The working group recommends that a DSFA be conducted at least Every three years to be repeated. However, this does not constitute a real obligation unless relevant risk-increasing circumstances have occurred since the last DSFA.
Consultation with the supervisory authority
It follows from Art. 36 GDPR that the supervisory authority must be consulted prior to processing if the DSFA reveals that, despite risk mitigation measures, a high risk remains. The provision is unclear, but is clarified in recitals 84 and 94. The working group also notes:
It is in cases where the identified risks cannot be sufficiently addressed by the data controller (i.e. the residual risks remains high) then the data controller must consult the supervisory authority.
International scope of Art. 35 GDPR
No information is provided on the international scope of application of Art. 35 GDPR. It therefore remains open whether foreign controllers subject to the GDPR on the basis of Art. 3(2) are obliged to conduct a DFA under the GDPR.
Action guide
The Working Party summarizes the obligations of the controller under Art. 35 and 36 GDPR as follows:
Where a likely high risk processing is planned, the data controller must:
- choose a DPIA methodology (examples given in Annex 1) that satisfies the criteria in Annex 2, or specify and implement a systematic DPIA process that
- is compliant with the criteria in Annex 2;
- is integrated into existing design, development, change, risk and operational review processes in accordance with internal processes, context and culture;
- involves the appropriate interested parties and define their responsibilities clearly (controller, DPO, data subjects or their representatives, business, technical services, processors, information security officer, etc.);
- provide the DPIA report to the competent supervisory authority when required to do so;
- consult the supervisory authority when they have failed to determine sufficient measures to mitigate the high risks;
- periodically review the DPIA and the processing it assesses, at least when there is a change of the risk posed by processing the operation;
- document the decisions taken.
Swiss regulation: Art. 16 VE-DSG
The preliminary draft of the revised Swiss DPA provides for an analogous obligation in Art. 16. However, according to the Swiss regulation, a DIA should already be required if the relevant risks are “increased”, and the FDPIC should be informed for every DIA, i.e. even if the DIA shows that the risks can be reduced by security measures to such an extent that there are no longer any increased residual risks (a corresponding obligation exists under the GDPR only if there are still high residual risks; however, Art. 36 GDPR is unclearly formulated, which may have influenced the preliminary draft). In addition, it is unclear who has to perform a DSFA (“the controller or the processor”).
Despite these deviations (which were strongly criticized in the consultation process), it is to be expected that Swiss companies will align themselves with the EU standard for DSFA.