Twitter Logo Youtube Circle Icon LinkedIn Icon

Publishing firms

Legal Developments worldwide

EUROPEAN RULES ON DATA PROTECTION IMPACT ASSESSMENT (“DPIA”)

November 2019 - TMT ( Technology, Media & Telecoms). Legal Developments by Villata, Degli Esposti e Associati.

More articles by this firm.

1. Overview

In the context of the protection of natural persons with regards to the processingof personal data, Article 25 of Regulation EU/2016/679 (General Data ProtectionRegulation or “GDPR”) sets up the Data Protection Impact Assessment (“DPIA”) inpursuit of GDPR’s aims through a risk-based approach.

2. Notion of DPIA

The DPIA is a procedure designed to risk assess data-processing activities concerningphysical persons. Recital No. 75 of GDPR considers such risks as those that “may lead to physical, material ornon-material damage”to the rights and freedoms of natural persons (e.g. discrimination,identity theft or fraud, financial loss, damage to reputation, loss ofconfidentiality of personal data protected by professional secrecy, unauthorisedreversal of pseudonymisation, any other significant economic or socialdisadvantage etc.).

Inorder to better understand the scope of GDPR provisions on DPIA, the DataProtection Working Party - WP29 - (set up under Article 29 of Directive95/46/EC) issued a set of Guidelines, which contain recommendations and commoncriteria on the methodology for carrying out the DPIA.

3. When the DPIA is mandatory

According to Article 35 of the GDPR, the DPIA is not mandatory for every single dataprocessing operation. Nevertheless, the DPIA has to be carried out when theprocessing is “likely to result in a highrisk to the rights and freedoms of natural persons” and, in particular,when using new technologies. As pointed out in Article 35, this happens to bethe case in three different scenarios. Firstly, when carrying out a systematic and extensive evaluation ofpersonal aspects relating to natural persons, based on automatedprocessing, including profiling etc. Secondly, in the case of processing on a large scale of specialcategories of data as referred to in Article 9(1), or of personal datarelating to criminal convictions and offences referred to in Article 10. Thirdly,when conducting a systematic monitoringof a publicly accessible area on a large scale.

4. When the DPIA is recommended

Even though Article 35 of GDPR sets up the above list of operations which require aDPIA, the WP29 deems such list non-exhaustive and, therefore, recommends taking into account more data processing activities which include: evaluation or scoring (e.g. customers –screening carried out by a bank); automated-decisionmaking with legal or similar significant effect (since processing mightlead to forms of discrimination); systematicmonitoring of publicly accessible areas (where data subjects are not fullyaware of data collection); sensitivedata (e.g. medical records kept by a hospital); data processed on a large scale (considering the number of subjectsconcerned, the geographical extent etc.); datasetsthat have been matched or combined;or data concerning vulnerable subjects(the mentally ill, asylum seekers, the elderly etc.) etc.

Accordingto the WG29, the more these activities are performed, the higher the risk onthe rights and freedoms of data subjects, which leads to the necessity ofcarrying out a DPIA.

5. Supervisory authority of the DPIA

Article 35 establishes a supervisory authority, whichis in charge of drafting a list of processing operations subject to DPIA andmaking it public. Moreover, even if it is not mandatory, the supervisoryauthority may draft a list of activities for which no DPIA is required.

6. Actions required by the DPIA

Pursuant to Article 35, the DPIAconsists of several actions including: a systematic description of theenvisaged processing operations and the purposes of the processing; anassessment of the necessity and proportionality of the processing operations inrelation to the purposes; an assessment of the risks to the rights and freedomsof data subjects; a description of the measures envisaged to address the risks,including safeguards, security measures and mechanisms to ensure the protectionof personal data.

7. Sanctions

Under Article 83 of GDPR (“General conditions for imposing administrative fines”),infringements of DPIA provisions can lead to administrative fines up to 10,000,000EUR, or in the case of an undertaking, up to 2 % of the total worldwide annualturnover of the preceding financial year, whichever is higher.