On 17 June 2019 the president of Poland’s Personal Data Protection Office (UODO) issued the Communication on the List of Personal Data Processing Operations Requiring an Assessment of the Impact of Processing on the Protection of Personal Data. The legal basis for issuance of the communication is Art. 35(4) of the EU’s General Data Protection Regulation, under which each member state’s supervisory authority must establish and publish a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment. At the same time, the prior list, enclosed with the communication of 17 August 2018, was repealed. The new list reflects the opinion issued by the European Data Protection Board and covers personal data processing activities connected with offering of goods and services to data subjects or monitoring of their behaviour in multiple EU member states.
Preparation of a data protection impact assessment will generally be required if the personal data processing meets at least two of the criteria indicated in the list. However, it cannot be ruled out that an assessment will have to be prepared even if the processing fulfils only one of the criteria in the list. The more criteria met, the higher the likelihood that the type of processing in question “is likely to result in a high risk to the rights and freedoms of natural persons” (Art. 35(1) GDPR). In such situation, an assessment of the impacts of the planned operation should be made before the processing commences.
The list identifies types of processing operations for which it is necessary to conduct an impact assessment, as well as potential areas of occurrence or application of such operations, and examples of operations, data scope, and circumstances which may present a high risk of infringement for the given type of processing operation.
The most important change is the addition to the list of three new categories of processing operations for which an impact assessment is required:
- Processing of biometric data with the sole purpose of identifying natural persons or controlling access—this involves for example facial recognition systems, verification of identity at the workplace for purposes of controlling access, and systems monitoring entries into specific areas
- Processing of genetic data—primarily by laboratories and other entities offering genetic diagnostics, such as DNA testing
- Processing of location data, for example by devices, applications and platforms using the internet of things, processing of data in the context of working from home or telecommuting, and processing of location data of employees.
It should be stressed that the existence of this list does not release data controllers from the obligation to examine all personal data processing operations based on a full assessment of data protection impacts (Art. 35(1) GDPR). In other words, it cannot be assumed that if the processing of data by a given controller does not fall within the categories included in the list, it is not necessary to prepare an impact assessment.
Nonetheless, the list does make it much easier for data controllers to decide whether they should conduct an impact assessment.