On August 30, 2023, shortly before the new FADP came into force, the FDPIC published a Fact sheet on data protection impact assessments (DPIA) has been published. Annex 2 contains a proposal for the content and structure of a DPIA.
As is well known, DPIAs are the environmental impact assessments of data protection law: if a project, application or other processing activity has a certain risk potential, the real risks – for the data subjects, not the company – should be assessed in a structured and documented manner as a basis for further decisions by the controller.
This raises numerous questions, e.g:
- What is “processing” that can be the subject of a DPIA? Art. 22 para. 1 FADP partially answers this question by stating that a DPIA can concern “several similar processing operations” – the decisive factor is therefore not the term “processing” or “processing operation” (the terminology of the FADP is not clear here either), but the risk profile. However, the controller is free to describe and delimit the subject matter of a DPIA in a meaningful way, in particular from generally used infrastructure on which a more sensitive application is running. And of course, DPIAs can also be carried out for non-personal data, and it is also clear that processors can also carry out a DPIA if they can market data-related products better as a result.
- When are risks potentially high? Which factors appear ex ante to be so sensitive that they require a DPIA? According to Art. 22 para. 2 FADP, these are the “extensive processing of particularly sensitive personal data” and the “systematic monitoring of extensive public areas”. In particular, it is unclear when processing is “extensive”. A relative approach – a larger proportion of a certain population, such as in the case of banks’ “mass customer data” – can hardly be justified, otherwise customers of small companies would be better protected than those of large companies. We must probably start from absolute figures, whereby the threshold of 5,000, which is sometimes stated under the GDPR, does not have a sufficient basis. A figure of 1,000 is arbitrary, but probably more obvious. It is unclear what “public areas” are in terms of surveillance, but in view of the message, only physical areas are meant, i.e. train stations, public parking lots, etc. (and not the internet). (and not the internet). – High risks can also exist in other processes; Art. 22 para. 2 FADP is not exhaustive. In case of doubt, there will be a tendency towards DPIAs because they are basically a very useful instrument, and also because authorities – the FDPIC – will probably ask for a DPIA as standard for more sensitive projects.
- How does a company check that DPIAs are carried out or, upstream, that projects are checked for data protection risks? The DPA does not provide an answer to this – it is solely a question of the effectiveness of internal company processes. It may make sense to record certain risks in the processing register for all processing operations, provided that a processing register is kept, is integrated into a functioning process and is of sufficient quality. For companies with few typical risks, an ad hoc review outside of standardized processes may also be sufficient, for example for smaller companies in the healthcare sector.
- How should a DPIA be carried out? Here too, the FADP provides little guidance. Art. 22 para. only requires “a description of the planned processing”, followed by an “assessment of the risks” for data subjects and the “measures” to protect them. The usual procedure is to determine and describe the object of the DPIA (e.g. data types and flows), carry out a proportionality check of the processing (because excessive processing does not have to be checked for risks, but must be restricted) and then carry out a single or multi-stage check of the risks, the protective measures and the risk resulting from the interaction of risks and measures. A general compliance check for compliance with data protection law is not mandatory, but at least if high residual risks are to be accepted, the controller will generally carry out such an assessment because the FDPIC will ask this question (see below on the FDPIC’s procedure in the event of a submission).
This is not an exhaustive list, but it should be noted in advance: The FDPIC’s information sheet only partially answers these questions, which is certainly correct because the FDPIC does not want to and cannot interfere with the freedom of organization of those responsible without necessity. However, some points are worth noting:
- The FDPIC rightly distinguishes between risks that always require a DPIA (he calls this “absolute criteria”) and between factors that play a role in the more open examination of gross risk and may require a DPIA (one could call it “relative criteria”). The FDPIC only mentions the cases of Art. 22 para. 2 (extensive processing of particularly sensitive personal data and systematic monitoring of extensive public areas) as absolute criteria, but not high-risk profiling. The latter “can typically entail a high risk”, but apparently does not always do so. This is not necessarily wrong, but surprising. – The other risk factors in terms of relative criteria correspond more or less, but not entirely those of the European Data Protection Boardand, in case of doubt, a DPIA should be carried out:
-
Profiling with high risk
-
Automated individual decision
-
new technologies, including artificial intelligence
-
secret procurement of personal data [EDSA does not mention this as a particular risk factor].
-
Large amount of data
-
large number of people
-
Extensive processing in terms of time or geography
-
Linking or synchronization of databases
-
Disclosure of personal data to third parties [EDSA does not mention this as a particular risk factor].
-
Monitoring of affected persons
-
Data subjects are prevented from exercising a right, using a service or fulfilling a contract
-
- The EDSA lists the following criteria:
-
Evaluation or scoring [FDPIC: Profiling in itself does not apply]
-
Automated-decision making with legal or similar significant effect
-
Systematic monitoring
-
Sensitive data or data of a highly personal nature [The FDPIC does not disclose sensitive data.]
-
Data processed on a large scale
-
Matching or combining datasets
-
Data concerning vulnerable data subjects [this is not mentioned by the FDPIC]
-
Innovative use or applying new technological or organizational solutions
-
When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”
-
- The Disclosure abroad can be a risk factor. A special examination is required here; this refers to the “Transfer Impact Assessment”. The result should be integrated into the DPIA, e.g. if “potential violations of personality and fundamental rights due to the fact that foreign authorities can act under foreign law” and the person responsible does not take this risk “with legal certainty and is therefore unable to reliably assess the probability of occurrence and severity of the impending breach even after planning and identifying appropriate measures in the DPIA”. This is certainly not wrong in principle. However, the fact that a risk that cannot be reliably assessed tends to be considered high is not correct; as a precautionary measure, the controller can proceed accordingly, but does not have to. He cannot reliably assess many risks, but he does not have to – Art. 2 GDPR requires a level of security appropriate to the risks, which requires an assessment of the foreseeable risks and not science fiction; accordingly, the controller must also work with what he can assume within the framework of the DPIA, not with speculation. However, the following sentence is certainly correct: “Transparent disclosure of such risk situations in the DPIA may include disclosure of the fact that they cannot be reliably assessed”.
- Depending on the result of the DSFA, it must submitted to the FDPIC (Art. 23 FADP). The controller can do this voluntarily if the mitigated, accepted net risks are not high or, in the case of high risks, if a data protection advisor was involved in the DPIA (i.e. in 99% of cases in total). However, the FDPIC is “is not required to enter into the matter and take a substantive position. However, it may exceptionally comment on residual risks that are no longer high as part of its advisory activities”. Those responsible will hardly voluntarily submit DPIAs to the FDPIC, also with a view to the Publicity Act, unless for reputational reasons, if public reactions are to be expected.
- In the case of a mandatory submission or consultation, the FDPIC proceeds as follows:
“The FDPIC examines whether the DPIA submitted to him meets the high identifies and derives net risks in an understandable, comprehensible and complete manner. It also examines whether the planned processing, taking into account the risks to be disclosed compatible with the requirements of data protection legislation as a whole in that it is reasonable for those affected in terms of the planned scope and intensity and is therefore justifiable overall.
The FDPIC shall inform the controller of any objections within the two-month period specified in Art. 23 para. 2 FADP. The FDPIC’s opinion is subject to a fee (Art. 59 FADP). It may relate to the planned data processing or also to the design of the DPIA”
[…]If a controller refuses to comply with important objections and suggestions made by the FDPIC, the latter may issue a Investigation and to formally approve suggested additions or changes, up to and including a ban on processing, in due course. have.