The European Data Protection Board (EDPB) has released a set of Opinions offering guidance on when (and when not) to carry out a DPIA (Data Protection Impact Assessment). The Opinions offer specific indications for each EU Member State and provide insights into the reasoning of the national supervisory authorities, as well as the Board itself.
One of the main tasks of the national supervisory authorities is to establish lists of cases in which a DPIA should be carried out. However, to prevent substantial differences across the EU, the EDPB has screened the draft lists submitted to give a preliminary opinion on what should be changed in order to achieve greater harmonization.
In the last months, 22 supervisory authorities submitted draft lists of cases in which a DPIA should be carried out. On 25 September, the EDPB adopted 22 separate Opinions confirming, modifying or rejecting specific-use cases proposed by the national authorities. Thanks to these opinions, a common criteria for DPIAs has been established, which will facilitate greater consistency of the application of the GDPR.
The EDPB refers in the Opinions to the specific cases brought forward by the national authorities. However, several general principles can be extracted:
|Use Case||EDPB Opinion|
|International Transfers of Personal Data||Processing made in the context of international transfers should not be a requirement to do a DPIA.|
|Employee Monitoring||Employee monitoring requires a DPIA when done in a systematic way or when data concerning vulnerable data subjects are processed [N.B. in the workplace, employees are to be regarded as vulnerable data subjects].|
|Processing done by Joint Controllers||The processing of personal data under a joint controllership should not per se require a DPIA to be carried out.|
|Use of Biometric Data||Processing of biometric data requires a DPIA only when the purpose is uniquely identifying a natural person, and this is done in conjunction with at least one other criterion.|
||These types of processing do not necessarily represent a high risk. However, the processing of them in conjunction with at least one other criterion requires a DPIA to be carried out.|
|“Large Scale” Processing||Finally, the EDPB noted that the concept of “large scale” should not be further specified by figures and invited all national authorities to refrain from doing so. The EDPB referred instead to the principles set out in WP29 guidelines on Data Protection Officer (WP243) and on DPIA (WP248) to define “large scale.”|