Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data.
Such indiscriminate general notification obligations are therefore abolished by Regulation 2016/679/EC and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes, in particular the conduct of Data Protection Impact Assessments (DPIAs). Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing (recital 89 of the GDPR).
Regulation 2016/6791 (GDPR) will apply from 25 May 2018. Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), as does Directive 2016/68032. A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24)5. In other words, a DPIA is a process for building and demonstrating compliance (p. 4 of the Art29WP Guidelines).
Hence, rather than generally requiring the notification of data processing operations to supervisory authorities, the GDPR relies on data controllers to assess the impact of envisaged data processing operations and only involves the consultation of supervisory authorities in relation to high-risk processing operations.
The relevant provisions for the obligations of data controllers in regard to the execution of data protection impact assessments are set out in the following legal texts :
- Recitals 84, 89-95 of the GDPR.
- Articles 35-36 of the GDPR.
- Art29 WP Guidelines on DPIA.
The Obligation to Carry Out a DPIA
In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller shall be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk (recital 84 of the GDPR).
The data controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (article 35 § 1 of the GDPR).
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment (article 35 § 2 of the GDPR).
Where processing is necessary for compliance with a legal obligation to which the controller is subject or processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and such processing has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities (article 35 § 10 of the GDPR).
The Obligation of Prior Consultation with the DPA
Prior to the start of processing activities the controller shall consult the supervisory authority (recitals 84, 94 and article 36 § 1 of the GDPR) :
- Where a data-protection impact assessment indicates that processing operations involve a high risk to the rights and freedoms of natural persons, and
- The controller does not or cannot mitigate such risk by appropriate measures in terms of available technology and costs of implementation.
Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person (recital 94 of the GDPR).
An example of an unacceptable high residual risk includes instances where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (e.g.: an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial jeopardy) and/or when it seems obvious that the risk will occur (e.g.: by not being able to reduce the number of people accessing the data because of its sharing, use or distribution modes, or when a well- known vulnerability is not patched). Whenever the data controller cannot find sufficient measures to reduce the risks to an acceptable level (i.e. the residual risks are still high), consultation with the supervisory authority is required (p. 19 of the Art29WP Guidelines)
Where the supervisory authority is of the opinion that the intended processing would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation (article 36 § 2 of the GDPR).
When consulting the supervisory authority, the controller shall provide the supervisory authority with (article 36 § 3 of the GDPR) :
(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
(b) the purposes and means of the intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
(d) where applicable, the contact details of the data protection officer;
(e) the data protection impact assessment provided for in Article 35; and
(f) any other information requested by the supervisory authority.
Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health (article 36 § 5 of the GDPR).
The Obligation to Take Appropriate Measures Based on the Outcome of the DPIA
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Those measures shall be reviewed and updated where necessary (article 24 § 1 of the GDPR).
The DPIA is a key part of complying with the Regulation where high risk data processing is planned or is taking place (p. 19 of the Art29WP Guidelines). The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation (recital 84 of the GDPR).
The Obligation to Monitor Compliance with the DPIA
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations (article 35 § 11 of the GDPR).
The Obligation to Review DPIAs
As a matter of good practice, a DPIA should be continuously reviewed and regularly re-assessed. Therefore, even if a DPIA is not required on 25 May 2018, it will be necessary, at the appropriate time, for the controller to conduct such a DPIA as part of its general accountability obligations (p. 14 of the Art29WP Guidelines).
Data Processors’ Obligations Regarding DPIAs
The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority (recital 95 of the GDPR). The processor should also provide any necessary information in line with Article 28(3)(f) (p. 15 of the Art29WP Guidelines).
DPO Tasks Regarding DPIAs
The data protection officer shall provide advice where requested as regards the data protection impact assessment and monitor its performance (article 39 § 1c’ of the GDPR).
DPA Tasks Regarding DPIAs
Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory establish and maintain a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) (article 57 § 1k’ of the GDPR). Each supervisory authority shall communicate the foregoing draft decision to the Board (article 64 § 1a’ of the GDPR)
The Scope of the DPIA
The GDPR requires controllers to implement appropriate measures to ensure and be able to demonstrate compliance with the GDPR, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 § 1 of the GDPR). The obligation for controllers to conduct a DPIA in certain circumstances should be understood against the background of their general obligation to appropriately manage risks presented by the processing of personal data. It has to be stressed that in order to manage the risks to the rights and freedoms of natural persons, the risks have to identified, analyzed, estimated, evaluated, treated (e.g. mitigated…), and reviewed regularly. Controllers cannot escape their responsibility by covering risks under insurance policies (p. 6 of the Art29WP Guidelines).
In line with the risk-based approach embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation (p. 5 of the Art29WP Guidelines).
A single assessment may address a set of similar processing operations that present similar high risks (article 35 § 1 of the GDPR). As a consequence, a DPIA is not required when the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out. In such cases, results of DPIA for similar processing can be used (p. 12 of the Art29WP Guidelines).
There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity (recital 92 of the GDPR).
A single DPIA could be used to assess multiple processing operations that are similar in terms of nature, scope, context, purpose, and risks. This might be the case where similar technology is used to collect the same sort of data for the same purposes. For example, a group of municipal authorities that are each setting up a similar CCTV system could carry out a single DPIA covering the processing by these separate controllers, or a railway operator (single controller) could cover video surveillance in all its train stations with one DPIA. This may also be applicable to similar processing operations implemented by various data controllers. In those cases, a reference DPIA should be shared or made publicly accessible, measures described in the DPIA must be implemented, and a justification for conducting a single DPIA has to be provided (p. 7 of the Art29WP Guidelines).
A DPIA can also be useful for assessing the data protection impact of a technology product, for example a piece of hardware or software, where this is likely to be used by different data controllers to carry out different processing operations. Of course, the data controller deploying the product remains obliged to carry out its own DPIA with regard to the specific implementation, but this can be informed by a DPIA prepared by the product provider, if appropriate. An example could be the relationship between manufacturers of smart meters and utility companies. Each product provider or processor should share useful information without neither compromising secrets nor leading to security risks by disclosing vulnerabilities (p. 8 of the Art29WP Guidelines).
The Criteria for the Evaluation of the Risk
A “risk” is a scenario describing an event and its consequences, estimated in terms of severity and likelihood. “Risk management”, on the other hand, can be defined as the coordinated activities to direct and control an organization with regard to risk (p. 6 of the Art29WP Guidelines).
The criteria, according to which the likelihood of a high risk to the rights and freedoms of natural persons shall be evaluated, are the nature, scope, context and purposes of the processing (article 35 § 1 of the GDPR).
A DPIA shall in particular be required in the case of (article 35 § 3 of the GDPR and p. 10-11 of the Art29WP Guidelines) :
- Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements” (recitals 71 and 91). Examples of this could include a financial institution that screens its customers against a credit reference database or against an anti-money laundering and counter-terrorist financing (AML/CTF) or fraud database, or a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks, or a company building behavioural or marketing profiles based on usage or navigation on its website.
- Automated-decision making with legal or similar significant effect : processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person” (Article 35(3)(a)). For example, the processing may lead to the exclusion or discrimination against individuals. Processing with little or no effect on individuals does not match this specific criterion. Further explanations on these notions will be provided in the upcoming WP29 Guidelines on Profiling.
- Systematic monitoring : processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area” (Article 35(3)(c)) [The WP29 interprets “systematic” as meaning one or more of the following (see the WP29 Guidelines on Data Protection Officer 16/EN WP 243): – occurring according to a system; – pre-arranged, organised or methodical; – taking place as part of a general plan for data collection; – carried out as part of a strategy. The WP29 interprets “publicly accessible area” as being any place open to any member of the public, for example a piazza, a shopping centre, a street, a market place, a train station or a public library]. This type of monitoring is a criterion because the personal data may be collected in circumstances where data subjects may not be aware of who is collecting their data and how they will be used. Additionally, it may be impossible for individuals to avoid being subject to such processing in public (or publicly accessible) space(s).
- Sensitive data or data of a highly personal nature : this includes special categories of sensitive personal data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as personal data relating to criminal convictions or offences as defined in Article 10 of the GDPR. An example would be a general hospital keeping patients’ medical records or a private investigator keeping offenders’ details. Beyond these provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud). In this regard, whether the data has already been made publicly available by the data subject or by third parties may be relevant. The fact that personal data is publicly available may be considered as a factor in the assessment if the data was expected to be further used for certain purposes. This criterion may also include data such as personal documents, emails, diaries, notes from e-readers equipped with note-taking features, and very personal information contained in life-logging applications.
- Data processed on a large scale : the WP29 recommends that the following factors be considered when determining whether the processing is carried out on a large scale:
(a) the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
(b) the volume of data and/or the range of different data items being processed;
(c) the duration, or permanence, of the data processing activity;
(d) the geographical extent of the processing activity.
- Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject [See explanation in the WP29 Opinion on Purpose limitation 13/EN WP 203, p.24].
- Data concerning vulnerable data subjects (recital 75): the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees, more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.
- Innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control, etc. The GDPR makes it clear (Article 35(1) and recitals 89 and 91) that the use of a new technology, defined in “accordance with the achieved state of technological knowledge” (recital 91), can trigger the need to carry out a DPIA. This is because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms. Indeed, the personal and social consequences of the deployment of a new technology may be unknown. A DPIA will help the data controller to understand and to treat such risks. For example, certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy; and therefore require a DPIA.
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91). This includes processing operations that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract. An example of this is where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.
A data controller can consider that a processing meeting two of the foregoing criteria would require a DPIA to be carried out. In general, the WP29 considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA, regardless of the measures which the controller envisages to adopt (p. 11 of the Art29WP Guidelines).
The obligation to conduct a DPIA applies to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory (recital 91 of the GDPR).
The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA. The supervisory authority shall communicate those lists to the European Data Protection Board (article 35 § 4 of the GDPR).
The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the European Data Protection Board (article 35 § 5 of the GDPR).
Prior to the adoption of the foregoing lists, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union (article 35 § 6 of the GDPR).
Timing of DPIAs
A data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk (article 35 § 1 and recital 90 of the GDPR).
A DPIA could be required after a change of the risks resulting from the processing operations [the data collected, purposes, functionalities, personal data processed, recipients, data combinations, risks (supporting assets, risk sources, potential impacts, threats, etc.), security measures and international transfers], for example because a new technology has come into use or because personal data is being used for a different purpose (p. 14 of the Art29WP Guidelines).
In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities (recital 93 of the GDPR).
The Subject Matter and Content of the DPIA
The DPIA under the GDPR is a tool for managing risks to the rights of the data subjects, and thus takes their perspective, as is the case in certain fields (e.g. societal security). Conversely, risk management in other fields (e.g. information security) is focused on the organization. Risk management processes, such as DPIAs, follow the phases of communication and consultation, establishing the context, risk assessment, risk treatment, monitoring and review (p. 17 of the Art29WP Guidelines).
Through the DPIA the data controller shall evaluate the origin, nature, particularity and severity of the risk to the rights and freedoms of natural persons (recital 84 of the GDPR). The process of the DPIA shall proceed according to the following stages :
i. Establishing the Context
At this stage, a systematic description of the envisaged processing operations and the purposes of the processing is provided, including, where applicable, the legitimate interest pursued by the controller. In particular, the following elements are required (Annex 2 of the Art29WP Guidelines) :
- nature, scope, context and purposes of the processing are taken into account (recital 90 of the GDPR);
- personal data, recipients and period for which the personal data will be stored are recorded;
- a functional description of the processing operation is provided;
- the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels) are identified;
- compliance with approved codes of conduct is taken into account (Article 35(8));
ii. Assessing Necessity and Proportionality
At this stage, an assessment of the necessity and proportionality of the processing operations in relation to the purposes is conducted as follows (Annex 2 of the Art29WP Guidelines) :
(a) Measures envisaged to comply with the Regulation are determined (Article 35(7)(d) and recital 90), taking into account:
- measures contributing to the proportionality and the necessity of the processing on the basis of: (i) specified, explicit and legitimate purpose(s) (Article 5(1)(b)); (ii) lawfulness of processing (Article 6); (iii) adequate, relevant and limited to what is necessary data (Article 5(1)(c));
- limited storage duration (Article 5(1)(e));
(b) Measures contributing to the rights of the data subjects:
- information provided to the data subject (Articles 12, 13 and 14);
- right of access and to data portability (Articles 15 and 20);
- right to rectification and to erasure (Articles 16, 17 and 19);
- right to object and to restriction of processing (Article 18, 19 and 21);
- relationships with processors (Article 28);
- safeguards surrounding international transfer(s) (Chapter V);
- prior consultation (Article 36).
iii. Assessing and Treating the Risks
At this stage, an assessment of the particular likelihood and severity of the high risks to the rights and freedoms of data subjects is conducted and the measures envisaged to address the risks are determined as follows (Annex 2 of the Art29WP Guidelines) :
origin, nature, particularity and severity of the risks are appreciated (cf. recital 84) or, more specifically, for each risk (illegitimate access, undesired modification, and disappearance of data) from the perspective of the data subjects:
- risks sources are taken into account (recital 90);
- potential impacts to the rights and freedoms of data subjects are identified in case of events including illegitimate access, undesired modification and disappearance of data;
- threats that could lead to illegitimate access, undesired modification and disappearance of data are identified;
- likelihood and severity are estimated (recital 90);
- measures envisaged to treat those risks are determined (Article 35(7)(d) and recital 90);
iv. Involving Interested Parties
At this stage, the interested parties to the execution of the DPIA are involved as follows (Annex 2 of the Art29WP Guidelines) :
- the advice of the DPO is sought (Article 35(2));
- the views of data subjects or their representatives are sought, where appropriate (Article 35(9)).
Compliance with approved codes of conduct by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment (article 35 § 8 of the GDPR). This can be useful to demonstrate that adequate measures have been chosen or put in place, provided that the code of conduct is appropriate to the processing operation. Certifications, seals and marks for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors (Article 42), as well as Binding Corporate Rules (BCR), should be taken into account as well (p. 16 of the Art29WP Guidelines).
In the process of taking the measures envisaged to reduce the high risks to the rights and freedoms of natural persons to an acceptable level and to demonstrate compliance with the GDPR, the controller shall take account of the state of the art and the costs of implementation (p. 18 of the Art29WP Guidelines).
When the processing operation involves joint controllers, they need to define their respective obligations precisely. Their DPIA should set out which party is responsible for the various measures designed to treat risks and to protect the rights and freedoms of the data subjects. Each data controller should express his needs and share useful information without either compromising secrets (e.g.: protection of trade secrets, intellectual property, confidential business information) or disclosing vulnerabilities (p. 7 of the Art29WP Guidelines).
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations (article 35 § 9 of the GDPR). Those views could be sought through a variety of means, depending on the context (e.g. a generic study related to the purpose and means of the processing operation, a question to the staff representatives, or usual surveys sent to the data controller’s future customers) ensuring that the controller has a lawful basis for processing any personal data involved in seeking such views. Although it should be noted that consent to processing is obviously not a way for seeking the views of the data subjects. If the data controller’s final decision differs from the views of the data subjects, its reasons for going ahead or not should be documented. The controller should also document its justification for not seeking the views of data subjects, if it decides that this is not appropriate, for example if doing so would compromise the confidentiality of companies’ business plans, or would be disproportionate or impracticable (p. 15 of the Art29WP Guidelines).
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)-(4)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the competent supervisory authority where required (Article 36(3)(e)), can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (p. 4 of the Art29WP Guidelines).