GDPR - DPIA & EDPB: GO LIVE?
INTRODUCTION
The European Data Protection Board (EDPB) on September 22 2018 adopted a number of Opinions on the so called black lists to be issued by all the EU Data Protection Supervisory Authorities (SAs) with regards to the personal data processing requiring the execution of a Data Protection Impact Assessment (DPIA), pursuant to a new important provision[1] of the EU General Data Protection Regulation 2016/679 (GDPR).
According to Article 35(4) GDPR each SA has to establish and make public a list of the kind of processing operations which need the execution of a data protection impact assessment (its black list), that is “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”[2].
Following the law requirement, each SA has to communicate its black list to the EDPB: in fact the primary role of this board is to ensure the consistent application of the GDPR throughout the European Economic Area and, in particular for the DPIA black lists, the goal is to create an EU harmonized approach for processing that is cross-border or can affect the free flow of personal data or natural person across the EU. In concrete, at the purpose of this goal, the EDPB applies the consistency mechanism to the processing operations which are:
1. related to the offering of goods or services to data subjects or
2. related to the monitoring of the data subjects behaviour in several EU Member States, or
3. may substantially affect the free movement of personal data
This does not mean that the EU DPIA black lists shall all be the same: a margin of discretion is left to the SAs with regards to their national context and local legislation. Although all the original DPIA black lists submitted by the SAs are not still public, however reading the introduction and comments about them reported by the EDPB in its DPIA Opinions, differences among the DPIA black lists are present and probably not of secondary level.
Therefore, this cannot be considered as a good news for the companies with business in many EU countries and, definitely, for the companies established in extra EU countries and subject to the GDPR [3].
GENERAL CONSIDERATIONS AND OUTCOMES ABOUT THE EDPB DPIA OPINIONS
From an overall perspective it is interesting to underline the cases of processing operations submitted to the EDPB by the SAs and the relevant opinions expressed by the board[4], always remembering that such EDPB opinions do not cover each entire submitted DPIA black list but only the part related to cross-border processing operations or affecting the free flow of personal data or natural person across the EU.
The EDPB in its reasoning has made extensive reference to the WP 29 DPIA guideline[5] and in particular to the set of 9 criteria to be considered as input for supporting the decision to proceed or not with a DPIA, more or less: when at least 2 off the 9 criteria are met a DPIA is required. This point is the core fulcrum for all the considerations expressed by the EDPB DPIA opinions.
In particular, for the case of processing operation ‘Employee Monitoring,’ the EDPB makes explicit reference to the two criteria in the WP 29 DPIA guideline: the criterion about the vulnerable data subjects and the criterion about systematic monitoring, expressing the opinion that they are as a whole compliant with the concept of ‘systematic processing of employees data’ referred in the WP 29 ‘Opinion 2/2017 on data processing at work - wp249’: this is an important note for all the companies carrying out processing operations resulting from monitoring ICT usage at the workplace and outside.
As a whole the cases analysed by the EDPB are those listed here below
Table 1 - the processing operations analysed by the EDPB in its DPIA Opinions[6]
|
BIOMETRIC DATA |
|
GENETIC DATA |
|
LOCATION DATA |
|
DATA COLLECTED VIA THIRD PARTIES (ARTICLE 19 GDPR) |
|
FURTHER PROCESSING |
|
EMPLOYEE MONITORING |
|
INTERFACES OF PERSONAL ELECTRONIC DEVICE UNPROTECTED AGAINST UNAUTHORIZED READOUT |
|
JOINT CONTROLLERSHIP |
|
PROCESSING USING NEW/INNOVATIVE TECHNOLOGY |
|
PROCESSING FOR SCIENTIFIC OR HISTORICAL PURPOSES WITHOUT CONSENT |
|
INTERNATIONAL TRANSFERS |
|
PROCESSING POSING A SIGNIFICANT RISK |
|
EXCEPTIONS TO INFORMATION TO BE PROVIDED TO THE DATA SUBJECT ACCORDING TO ARTICLE 14.5 GDPR |
|
INCONSISTENCY WITH THE GUIDELINES (WP29 DPIA GUIDELINES) |
|
PROCESSING CARRIED OUT WITH THE AID OF AN IMPLANT |
|
REFERENCING A SPECIFIC LEGAL BASIS |
|
LARGE SCALE |
|
TERRITORIALLY-DISTRIBUTED OR CROSS-BORDER INFORMATION SYSTEMS |
|
MIGRATION FROM ONE SYSTEM TO AT LEAST ONE OTHER |
|
FIRST USE OF SOLUTIONS APPLIED ON THE CZECH REPUBLIC´S TERRITORY |
For each of them the EDPB has expressed its opinions about recommended or not DPIA (for each blacklist received by the SAs), here below summarised essentially in terms of:
Table 2 – Actions addressed to the SAs from the EDPB in its DPIA Opinions
|
Short reference |
Meaning |
|
HOLD |
EDPB acknowledges the case is eligible for the execution of the DPIA: this opinion has been provided for the case of EMPLOYEE MONITORING and with reference to the WP29 Guideline WP248 and WP 249 previously mentioned |
|
HOLD, ALREADY INCLUDED OTHER CRITERION |
EDPB acknowledges the case is eligible for the execution of the DPIA and the SAs has already taken note that however also another criterion off the 9 criteria of the WP 29 DPIA Guideline must be met in order to proceed with the DPIA |
|
HOLD INCLUDING OTHER CRITERION |
EDPB acknowledges the case is eligible for the execution of the DPIA only if at least also another criterion off the 9 criteria of the WP 29 DPIA Guideline is met |
|
ADD AND INCLUDE OTHER CRITERION |
The case is not included in the SA DPIA blacklist: the EDPB requests the case is to be added by the SA together with the need to meet at least also another criterion off the 9 criteria of the WP 29 DPIA Guideline |
|
DPIA REQUIRED IF HEALTH DATA INVOLVED |
EDPB acknowledges the case is eligible for the execution of the DPIA if health data is involved. This opinion applies only for the case ‘ PROCESSING CARRIED OUT WITH THE AID ON AN IMPLANT’ |
|
CORRECT INCONSISTENCY/ OVERLAPPING WITH THE CRITERIA REPORTED IN THE WP29 DPIA GUIDELINES |
EDPB detects inconsistency with the WP29 DPIA Guideline: EDPB requests the SA to solve such inconsistency |
|
REMOVE |
EDPB does not consider the case as eligible for the execution of the DPIA and requests the SA to remove it |
|
ENCOURAGE TO ADD +OTHER CRITERION |
EDPB suggests to include the case as eligible for for the execution of the DPIA only if at least also another criterion off the 9 criteria of the WP 29 DPIA Guideline is met |
The picture below provides a synthetic view of the EDPB Opinions on the cases of processing operations indicated in Table 1 and the relevant actions addressed to the SAs indicated in Table 2.
Interesting to note also which SAs considered which cases as eligible for carrying out a DPIA and the related EDPB opinion, waiting to read the complete DPIA black lists once they will be published by the SAs.
Legenda for the next picture
|
AU |
Austria |
ES |
Spain |
LV |
Latvia |
SE |
Sweden |
|||||||||||
|
BE |
Belgium |
FL |
Finland |
LT |
Lituania |
SK |
Slovakia |
|||||||||||
|
BG |
Bulgaria |
FR |
France |
LU |
Luxembourg |
SL |
Slovenia |
|||||||||||
|
CY |
Cyprus |
GR |
Greece |
MT |
Malta |
UK |
United Kingdom |
|||||||||||
|
CZ |
Czech Republic |
HR |
Croatia |
NL |
Netherlands |
|||||||||||||
|
DK |
Denmark |
HU |
Hungary |
PL |
Poland |
|||||||||||||
|
DE |
Germany |
IE |
Ireland |
PT |
Portugal |
|||||||||||||
|
EE |
Estonia |
IT |
Italy |
RO |
Romania |
|||||||||||||
[1] GDPR Articles 35 and 36
[2] GDPR Article 35(1)
[3] Pursuant to GDPR Article 3 the extra EU companies carrying out processing activities related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union, are subject to the GDPR
[4] https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en[5] Wp29 - WP248 Rev 0.1 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
