There are several sample forms and documents on DPIA methodology published by different supervisory authorities (“SAs”) that could be relied upon by controllers to guide them in designing their DPIA processes. For a detailed description of the steps to be borne in mind while conducting a DPIA, you can download our whitepaper.
However, before conducting a DPIA, it is necessary to determine whether or not a DPIA is required in the first place. This pre-assessment is based on the level of risk posed by the envisaged processing operation(s). In this blogpost we analyse the very need to do a DPIA (or the pre-assessment) rather than the DPIA itself.
The GDPR and the WP29 Guidelines on Data Protection Impact Assessment (DPIA) determine whether processing is likely to result in a high risk based on a non-exhaustive list of characteristics. These characteristics, hereafter referred to as “EU Triggers” determine the need for a full assessment:
The Guidelines state a rule of thumb: in case two or more of the above criteria apply, a full DPIA is necessary. However, the rule has exceptions and controllers must reason the necessity of conducting a DPIA in any case, after seeking the advice of the data protection officer and other stakeholders including the data subjects.
In line with the margin of manoeuvre available to member states (“MSs”) under the GDPR, Articles 35(4) and 35(5) of the GDPR empower the competent supervisory authorities (“SAs”) of MSs to supplement these lists. Accordingly, most of the SAs have published lists that specify characteristics that would require a DPIA (“Black List”). Some, such as the Belgian SA, have also published the list of processing activities that are exempted from the DPIA requirement (“White List”).
Given that the underlying legislative intent behind the GDPR is to ensure consistency in data protection practices across the EU and facilitate the free flow of data in order to aid the internal market, there ought not to be divergences that would hamper the goal of cross-border data flow. Hence, the SAs are required to follow the consistency mechanism laid down under the GDPR (cf. art. 35(4) and 35(6)), in cases where the processing of personal data:
a) relates to the offering of goods or services to data subjects; or
b) relates to the monitoring of their behaviour in several MSs; or
c) may substantially affect the free movement of personal data within the Union.
In light of this, the SA lists are required to be communicated to the European Data Protection Board (“EDPB”) established under Article 68 of the GDPR. As per Article 64(1) of the GDPR, the EDPB is responsible for issuing opinions to the SAs on these lists, and the SAs are required to take utmost account of these opinions by adopting the proposed changes or communicating reasons for failing to do so, to the EDPB.
Currently, the EDPB has already published opinions on 26 SA lists, highlighting the ultimate goal of “establishing a harmonised approach” and “protecting consistency that can affect the free flow of personal data of natural persons across the European Union”. Some of the clarifications, as discussed hereafter, definitely take a step towards achieving consistent application of the GDPR. A few of the key clarifications are as follows:
In spite of the consistency opinions published by the EDPB, in our view certain uncertainties still persist upon examination of a combination of the lists with the EU Triggers. Some of these are crucial for businesses to achieve legal certainty with respect to processing operations involving more than one MS.
Alternatively, it is likely that even though a processing operation fits a factor listed in the White List, it could still require a DPIA if other factors provided in the Black List or the EU Triggers apply to it. For example, the Belgian White List clarifies that the processing for the purposes of the administration of salaries of people who work for or on behalf of the controller would not require a DPIA. However, it is unclear whether this would be the case even if the processing involves new technological means or if it allows the controller to evaluate eligibility for future bonus pay.
While many of the inconsistencies addressed above may be resolved through detailed legal analysis on a case by case basis, the fact remains that the SA lists fall short of facilitating legal/practical certainty and smooth business decision making.
One of the ways forward could be for the EDPB to issue fresh guidance supplementing the existing Guidelines with specific situational examples involving different jurisdictions and several controllers (both based in EU and outside). This would go a long way in restoring certainty to the DPIA process. The current Guidelines do not mention the SA lists at all, and in our opinion, this could prove to be a significant roadblock for economic operators seeking legal and practical certainty around doing business in the EU.