Personal Data Protection Office on when to perform a DPIA
When does it become necessary to carry out a data protection impact assessment? The Personal Data Protection Office attempts to answer this question with its List of Types of Personal Data Processing Operations Subject to Data Protection Impact Assessment (the “List of Operations Subject to DPIA”).
The duty to perform a data protection impact assessment, i.e. a DPIA, is one of the duties the GDPR imposes on personal data controllers. Under the GDPR, a DPIA must always be carried out when it is likely that a certain type of processing will result in a high risk for the data subjects’ rights and freedoms, especially when taking into account the nature, extent, context and purpose of a particular processing operation. However, the text of the regulation itself is very abstract and contains indefinite legal terms. Personal data controllers are therefore left in a high degree of uncertainty.
Attempts have been made to provide a uniform interpretation, such as the Guidelines on DPIAs and High-Risk Processing prepared by the European Data Protection Board (the WP29). These comprise a list of nine criteria according to which it should be possible to determine whether a DPIA must be performed. However, these instructions do not provide an entirely specific answer to personal data administrators, especially concerning marginal cases.
The Czech Personal Data Protection Office has now published a final version of the List of Operations Subject to DPIA, exactly one year after the first version of this document was issued for public discussion purposes. The list determines the characteristics of personal data processing to be used by controllers to describe their personal data processing operations and subsequently to assess whether the processing operation involves a high level of risk for the data subject’s rights and freedoms. The level of risk is determined according to predefined scales allocating certain critical, significant, and low values to each individual characteristic.
The above list has already been approved by the European Data Protection Board. But the Personal Data Protection Office itself admits that the material is not exhaustive and may be subject to changes and additions resulting from the development of technologies, amendments to legislation, etc. Along with the List of Types of Personal Data Processing Operations Not Subject to DPIA published earlier, data controllers should finally have at their disposal clearer guidance on how to determine whether a DPIA should be performed.