The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples.
What is a DPIA?
DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. Especially broader risks to the rights and freedoms of individuals, resulting from the processing, shall be assessed and mitigated by appropriate countermeasures.
DPIAs also support the General Data Protection Regulation’s (GDPR) accountability principle, helping organisations to prove that they have taken appropriate measures as required by GDPR, so that a compliant processing is possible.
Art. 35 GDPR provides that a DPIA is generally required where the processing of personal data, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR lists three examples where a DPIA is required:
- Systematic and extensive profiling
- Processing of special categories of personal data or criminal offence data on a large scale
- Systematic monitoring of publicly accessible places on a large scale
Art. 35 (4) GDPR calls on supervisory authorities to release lists that further specify those cases where a DPIA is mandatory.
The List provides 16 examples and thereby the areas that German DPAs consider constituting “high risk” processing activities.
The List includes, in particular, the following processing activities:
- Extensive processing of data subject to social, professional or special official secrecy (e.g., operators of insolvency registers, large social organisations).
- Extensive processing of personal data about the location of a data subject (e.g., car sharing services or tracking movement of customers in shopping centres).
- Aggregation of personal data from various sources and further processing of the aggregated data (e.g., fraud prevention systems or scoring by banks or insurances).
- Creation of comprehensive profiles about the interests, the network of personal relationships or the personality of the data subjects (e.g., operation of dating portals or social networks).
- Big data review of customer data that have been mixed with third-party data.
- Automated analysis of video or audio recordings to evaluate the personality of the data subjects.
- Customer support using artificial intelligence.
- Processing of special categories of personal data in accordance with Articles 9 and 10 GDPR to measure the performance of a person (e.g., fitness tracking).
The List gives organisations a first overview over the various use cases of DPIAs. However, the List is not exhaustive and is subject to future revisions. The fact that a process is not mentioned in the List does not necessarily mean that a DPIA will not have to be carried out nonetheless.
Other member states have also released their lists. For example, the list of the ICO can be accessed here.