FDPIC: Fact sheet on data pro­tec­tion impact assessments

On August 30, 2023, short­ly befo­re the new FADP came into force, the FDPIC published a Fact sheet on data pro­tec­tion impact assess­ments (DPIA) has been published. Annex 2 con­ta­ins a pro­po­sal for the con­tent and struc­tu­re of a DPIA.

As is well known, DPI­As are the envi­ron­men­tal impact assess­ments of data pro­tec­tion law: if a pro­ject, appli­ca­ti­on or other pro­ce­s­sing acti­vi­ty has a cer­tain risk poten­ti­al, the real risks – for the data sub­jects, not the com­pa­ny – should be asses­sed in a struc­tu­red and docu­men­ted man­ner as a basis for fur­ther decis­i­ons by the controller.

This rai­ses num­e­rous que­sti­ons, e.g:

  • What is “pro­ce­s­sing” that can be the sub­ject of a DPIA? Art. 22 para. 1 FADP par­ti­al­ly ans­wers this que­sti­on by sta­ting that a DPIA can con­cern “seve­ral simi­lar pro­ce­s­sing ope­ra­ti­ons” – the decisi­ve fac­tor is the­r­e­fo­re not the term “pro­ce­s­sing” or “pro­ce­s­sing ope­ra­ti­on” (the ter­mi­no­lo­gy of the FADP is not clear here eit­her), but the risk pro­fi­le. Howe­ver, the con­trol­ler is free to descri­be and deli­mit the sub­ject mat­ter of a DPIA in a meaningful way, in par­ti­cu­lar from gene­ral­ly used infras­truc­tu­re on which a more sen­si­ti­ve appli­ca­ti­on is run­ning. And of cour­se, DPI­As can also be car­ri­ed out for non-per­so­nal data, and it is also clear that pro­ces­sors can also car­ry out a DPIA if they can mar­ket data-rela­ted pro­ducts bet­ter as a result. 
  • When are risks poten­ti­al­ly high? Which fac­tors appear ex ante to be so sen­si­ti­ve that they requi­re a DPIA? Accor­ding to Art. 22 para. 2 FADP, the­se are the “exten­si­ve pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data” and the “syste­ma­tic moni­to­ring of exten­si­ve public are­as”. In par­ti­cu­lar, it is unclear when pro­ce­s­sing is “exten­si­ve”. A rela­ti­ve approach – a lar­ger pro­por­ti­on of a cer­tain popu­la­ti­on, such as in the case of banks’ “mass cus­to­mer data” – can hard­ly be justi­fi­ed, other­wi­se cus­to­mers of small com­pa­nies would be bet­ter pro­tec­ted than tho­se of lar­ge com­pa­nies. We must pro­ba­b­ly start from abso­lu­te figu­res, wher­eby the thres­hold of 5,000, which is some­ti­mes sta­ted under the GDPR, does not have a suf­fi­ci­ent basis. A figu­re of 1,000 is arbi­tra­ry, but pro­ba­b­ly more obvious. It is unclear what “public are­as” are in terms of sur­veil­lan­ce, but in view of the mes­sa­ge, only phy­si­cal are­as are meant, i.e. train sta­ti­ons, public par­king lots, etc. (and not the inter­net). (and not the inter­net). – High risks can also exist in other pro­ce­s­ses; Art. 22 para. 2 FADP is not exhaus­ti­ve. In case of doubt, the­re will be a ten­den­cy towards DPI­As becau­se they are basi­cal­ly a very useful instru­ment, and also becau­se aut­ho­ri­ties – the FDPIC – will pro­ba­b­ly ask for a DPIA as stan­dard for more sen­si­ti­ve projects. 
  • How does a com­pa­ny check that DPI­As are car­ri­ed out or, upstream, that pro­jects are checked for data pro­tec­tion risks? The DPA does not pro­vi­de an ans­wer to this – it is sole­ly a que­sti­on of the effec­ti­ve­ness of inter­nal com­pa­ny pro­ce­s­ses. It may make sen­se to record cer­tain risks in the pro­ce­s­sing regi­ster for all pro­ce­s­sing ope­ra­ti­ons, pro­vi­ded that a pro­ce­s­sing regi­ster is kept, is inte­gra­ted into a func­tio­ning pro­cess and is of suf­fi­ci­ent qua­li­ty. For com­pa­nies with few typi­cal risks, an ad hoc review out­side of stan­dar­di­zed pro­ce­s­ses may also be suf­fi­ci­ent, for exam­p­le for smal­ler com­pa­nies in the heal­th­ca­re sector. 
  • How should a DPIA be car­ri­ed out? Here too, the FADP pro­vi­des litt­le gui­dance. Art. 22 para. only requi­res “a descrip­ti­on of the plan­ned pro­ce­s­sing”, fol­lo­wed by an “assess­ment of the risks” for data sub­jects and the “mea­su­res” to pro­tect them. The usu­al pro­ce­du­re is to deter­mi­ne and descri­be the object of the DPIA (e.g. data types and flows), car­ry out a pro­por­tio­na­li­ty check of the pro­ce­s­sing (becau­se exce­s­si­ve pro­ce­s­sing does not have to be checked for risks, but must be rest­ric­ted) and then car­ry out a sin­gle or mul­ti-stage check of the risks, the pro­tec­ti­ve mea­su­res and the risk resul­ting from the inter­ac­tion of risks and mea­su­res. A gene­ral com­pli­ance check for com­pli­ance with data pro­tec­tion law is not man­da­to­ry, but at least if high resi­du­al risks are to be accept­ed, the con­trol­ler will gene­ral­ly car­ry out such an assess­ment becau­se the FDPIC will ask this que­sti­on (see below on the FDPIC’s pro­ce­du­re in the event of a submission).

This is not an exhaus­ti­ve list, but it should be noted in advan­ce: The FDPIC’s infor­ma­ti­on sheet only par­ti­al­ly ans­wers the­se que­sti­ons, which is cer­tain­ly cor­rect becau­se the FDPIC does not want to and can­not inter­fe­re with the free­dom of orga­nizati­on of tho­se respon­si­ble wit­hout neces­si­ty. Howe­ver, some points are worth noting: 

  • The FDPIC right­ly distin­gu­is­hes bet­ween risks that always requi­re a DPIA (he calls this “abso­lu­te cri­te­ria”) and bet­ween fac­tors that play a role in the more open exami­na­ti­on of gross risk and may requi­re a DPIA (one could call it “rela­ti­ve cri­te­ria”). The FDPIC only men­ti­ons the cases of Art. 22 para. 2 (exten­si­ve pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data and syste­ma­tic moni­to­ring of exten­si­ve public are­as) as abso­lu­te cri­te­ria, but not high-risk pro­fil­ing. The lat­ter “can typi­cal­ly ent­ail a high risk”, but appar­ent­ly does not always do so. This is not neces­s­a­ri­ly wrong, but sur­pri­sing. – The other risk fac­tors in terms of rela­ti­ve cri­te­ria cor­re­spond more or less, but not enti­re­ly tho­se of the Euro­pean Data Pro­tec­tion Boardand, in case of doubt, a DPIA should be car­ri­ed out: 
    • Pro­fil­ing with high risk

    • Auto­ma­ted indi­vi­du­al decision

    • new tech­no­lo­gies, inclu­ding arti­fi­ci­al intelligence

    • secret pro­cu­re­ment of per­so­nal data [EDSA does not men­ti­on this as a par­ti­cu­lar risk factor]. 

    • Lar­ge amount of data

    • lar­ge num­ber of people

    • Exten­si­ve pro­ce­s­sing in terms of time or geography 

    • Lin­king or syn­chro­nizati­on of databases

    • Dis­clo­sure of per­so­nal data to third par­ties [EDSA does not men­ti­on this as a par­ti­cu­lar risk factor]. 

    • Moni­to­ring of affec­ted persons

    • Data sub­jects are pre­ven­ted from exer­cis­ing a right, using a ser­vice or ful­fil­ling a contract

  • The EDSA lists the fol­lo­wing criteria: 
    • Eva­lua­ti­on or scoring [FDPIC: Pro­fil­ing in its­elf does not apply] 

    • Auto­ma­ted-decis­i­on making with legal or simi­lar signi­fi­cant effect

    • Syste­ma­tic monitoring

    • Sen­si­ti­ve data or data of a high­ly per­so­nal natu­re [The FDPIC does not dis­c­lo­se sen­si­ti­ve data.] 

    • Data pro­ce­s­sed on a lar­ge scale

    • Matching or com­bi­ning datasets

    • Data con­cer­ning vul­nerable data sub­jects [this is not men­tio­ned by the FDPIC] 

    • Inno­va­ti­ve use or app­ly­ing new tech­no­lo­gi­cal or orga­nizatio­nal solutions

    • When the pro­ce­s­sing in its­elf “pre­vents data sub­jects from exer­cis­ing a right or using a ser­vice or a contract”

  • The Dis­clo­sure abroad can be a risk fac­tor. A spe­cial exami­na­ti­on is requi­red here; this refers to the “Trans­fer Impact Assess­ment”. The result should be inte­gra­ted into the DPIA, e.g. if “poten­ti­al vio­la­ti­ons of per­so­na­li­ty and fun­da­men­tal rights due to the fact that for­eign aut­ho­ri­ties can act under for­eign law” and the per­son respon­si­ble does not take this risk “with legal cer­tain­ty and is the­r­e­fo­re unable to relia­bly assess the pro­ba­bi­li­ty of occur­rence and seve­ri­ty of the impen­ding breach even after plan­ning and iden­ti­fy­ing appro­pria­te mea­su­res in the DPIA”. This is cer­tain­ly not wrong in prin­ci­ple. Howe­ver, the fact that a risk that can­not be relia­bly asses­sed tends to be con­side­red high is not cor­rect; as a pre­cau­tio­na­ry mea­su­re, the con­trol­ler can pro­ce­ed accor­din­gly, but does not have to. He can­not relia­bly assess many risks, but he does not have to – Art. 2 GDPR requi­res a level of secu­ri­ty appro­pria­te to the risks, which requi­res an assess­ment of the fore­seeable risks and not sci­ence fic­tion; accor­din­gly, the con­trol­ler must also work with what he can assu­me within the frame­work of the DPIA, not with spe­cu­la­ti­on. Howe­ver, the fol­lo­wing sen­tence is cer­tain­ly cor­rect: “Trans­pa­rent dis­clo­sure of such risk situa­tions in the DPIA may include dis­clo­sure of the fact that they can­not be relia­bly asses­sed”. 
  • Depen­ding on the result of the DSFA, it must sub­mit­ted to the FDPIC (Art. 23 FADP). The con­trol­ler can do this vol­un­t­a­ri­ly if the miti­ga­ted, accept­ed net risks are not high or, in the case of high risks, if a data pro­tec­tion advi­sor was invol­ved in the DPIA (i.e. in 99% of cases in total). Howe­ver, the FDPIC is “is not requi­red to enter into the mat­ter and take a sub­stan­ti­ve posi­ti­on. Howe­ver, it may excep­tio­nal­ly com­ment on resi­du­al risks that are no lon­ger high as part of its advi­so­ry acti­vi­ties”. Tho­se respon­si­ble will hard­ly vol­un­t­a­ri­ly sub­mit DPI­As to the FDPIC, also with a view to the Publi­ci­ty Act, unless for repu­ta­tio­nal rea­sons, if public reac­tions are to be expected.
  • In the case of a man­da­to­ry sub­mis­si­on or con­sul­ta­ti­on, the FDPIC pro­ce­eds as fol­lows:
    The FDPIC exami­nes whe­ther the DPIA sub­mit­ted to him meets the high iden­ti­fi­es and deri­ves net risks in an under­stan­da­ble, com­pre­hen­si­ble and com­ple­te man­ner. It also exami­nes whe­ther the plan­ned pro­ce­s­sing, taking into account the risks to be dis­c­lo­sed com­pa­ti­ble with the requi­re­ments of data pro­tec­tion legis­la­ti­on as a who­le in that it is rea­sonable for tho­se affec­ted in terms of the plan­ned scope and inten­si­ty and is the­r­e­fo­re justi­fia­ble over­all.

    The FDPIC shall inform the con­trol­ler of any objec­tions within the two-month peri­od spe­ci­fi­ed in Art. 23 para. 2 FADP. The FDPIC’s opi­ni­on is sub­ject to a fee (Art. 59 FADP). It may rela­te to the plan­ned data pro­ce­s­sing or also to the design of the DPIA”

    […]

    If a con­trol­ler refu­ses to com­ply with important objec­tions and sug­ge­sti­ons made by the FDPIC, the lat­ter may issue a Inve­sti­ga­ti­on and to for­mal­ly appro­ve sug­ge­sted addi­ti­ons or chan­ges, up to and inclu­ding a ban on pro­ce­s­sing, in due cour­se. have.