Studio Legale Villata, Degli Esposti e Associati | View firm profile
In the context of the protection of natural persons with regards to the processing of personal data, Article 25 of Regulation EU/2016/679 (General Data Protection Regulation or “GDPR”) sets up the Data Protection Impact Assessment (“DPIA”) in pursuit of GDPR’s aims through a risk-based approach.
2. Notion of DPIA
The DPIA is a procedure designed to risk assess data-processing activities concerning physical persons. Recital No. 75 of GDPR considers such risks as those that “may lead to physical, material or non-material damage”to the rights and freedoms of natural persons (e.g. discrimination,identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorisedreversal of pseudonymisation, any other significant economic or social disadvantage etc.).
In order to better understand the scope of GDPR provisions on DPIA, the Data Protection Working Party – WP29 – (set up under Article 29 of Directive 95/46/EC) issued a set of Guidelines, which contain recommendations and common criteria on the methodology for carrying out the DPIA.
3. When the DPIA is mandatory
According to Article 35 of the GDPR, the DPIA is not mandatory for every single data processing operation. Nevertheless, the DPIA has to be carried out when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” and, in particular,when using new technologies. As pointed out in Article 35, this happens to be the case in three different scenarios. Firstly, when carrying out a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling etc. Secondly, in the case of processing on a large scale of special categories of data as referred to in Article 9(1), or of personal datarelating to criminal convictions and offences referred to in Article 10. Thirdly, when conducting a systematic monitoring of a publicly accessible area on a large scale.
4. When the DPIA is recommended
Even though Article 35 of GDPR sets up the above list of operations which require aDPIA, the WP29 deems such list non-exhaustive and, therefore, recommends taking into account more data processing activities which include: evaluation or scoring (e.g. customers –screening carried out by a bank); automated-decision making with legal or similar significant effect (since processing mightlead to forms of discrimination); systematic monitoring of publicly accessible areas (where data subjects are not fully aware of data collection); sensitivedata (e.g. medical records kept by a hospital); data processed on a large scale (considering the number of subjects concerned, the geographical extent etc.); data setsthat have been matched or combined;or data concerning vulnerable subjects(the mentally ill, asylum seekers, the elderly etc.) etc.
Accordingto the WG29, the more these activities are performed, the higher the risk onthe rights and freedoms of data subjects, which leads to the necessity ofcarrying out a DPIA.
5. Supervisory authority of the DPIA
Article 35 establishes a supervisory authority, whichis in charge of drafting a list of processing operations subject to DPIA andmaking it public. Moreover, even if it is not mandatory, the supervisoryauthority may draft a list of activities for which no DPIA is required.
6. Actions required by the DPIA
Pursuant to Article 35, the DPIA consists of several actions including: a systematic description of the envisaged processing operations and the purposes of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; a description of the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
Under Article 83 of GDPR (“General conditions for imposing administrative fines”), infringements of DPIA provisions can lead to administrative fines up to 10,000,000EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.