The Article 29 Working Party – an association of all European data protection supervisory authorities - has published the draft of guidelines for the conducting of a data protection impact assessment ("DPIA"). The 21-page document deals with numerous questions related to the DPIA that are of great practical importance. This document can therefore currently be regarded as the most extensive comment date on Art. 35 GDPR. Although the guidelines of the Article 29 Working Party, set up on the basis of Directive 95/46/EC, will not be mandatorily binding on national data protection supervisory authorities in future, the expectation is however that the data protection supervisory authorities will orient themselves towards these in practice.
DPIA as central compliance document for risk-fraught data processing
The Article 29 Working Party (hereinafter "WP29") emphasizes that DPIA serves the purpose of general data protection compliance, and thus fulfilment of all requirements under the General Data Protection Regulation. As Art. 35 GDPR requires an extensive risk assessment for all processing procedures that will foreseeably result in a high risk to the rights and freedoms of natural persons, overall compliance of each procedure audited will ultimately have to be documented in the context of the DPIA. This is certainly the view of the WP 29, as is immediately clear from the checklist for the conducting of a DPIA, enclosed with the guidelines as Annex 2. According to this, a complete and comprehensive description of each data processing procedure, to be audited under Art. 35 GDPR, whose content goes far beyond the minimum information contained in a list of the processing activities, must be available within the framework of the DPIA. In addition, the presence of an element of consent and compliance with the data protection principles as per Art. 5 GDPR, must be taken into consideration. Likewise, all measures that are taken into account for fulfilment of the rights concerned, must be included in the risk assessment of the DPIA.
This shows: within the scope of the DPIA, the WP 29 believes that a check must be made as to which measures have been carried out for fulfilment of all other regulations of the GDPR, and the results of the check documented. A DPIA understood in this way will become a central GDPR compliance document - at least in terms of all processing procedures that foreseeably entail a high risk.
When is there foreseeably a high risk?
The guidelines propose taking account of the following 10 criteria when checking the question as to whether, under Art. 35 GDPR, "a high risk foreseeably exists":
1. Is the conduct or are the characteristics of a person assessed through data processing (automatic scoring or automatic assessment)?
2. Does the data processing lead to automatic decisions concerning the data subject?
3. Are data subjects systematically monitored?
4. Are special categories of personal data, as defined in Art. 9 GDPR, or other sensitive data processed?
5. Is the data processing on a large scale, whereby account should be taken here of the number of parties concerned, the amount of individual data, the duration of the data processing and the geographical extent of the data processing?
6. Are datasets that stem from two or more sources matched or combined in a manner with which the person concerned must not reckon?
7. Is data of persons warranting particular protection - for example children - processed?
8. Is new technology or a particularly innovative procedure used? (This could be the case for example in the area of the "Internet of Things").
9. Is data exported from the EU to third countries? If yes, how can the level of data protection in the recipient countries be assessed?
10. Does the data processing result in data subjects being prevented from exercising their rights, making use of a service or concluding a contract (an example is a credit-rating analysis in advance of conclusion of a contract)?
The following becomes clear even during the first reading: all criteria stated in turn offer broad leeway as regards interpretation. WP 29 does not wish to commit further. Rather, WP 29 emphasizes that the circumstances of each individual case are decisive. WP 29 at least presents a "rule of thumb" explicitly named as such, according to which a high risk is always given when 2 or more of the 10 criteria are present.
The examples below are more helpful. WP 29 presents them as follows in brief tabular form and without further explanation:
|Specimen data processing||Possible relevant criteria||DPIA necessary?|
|A hospital processes genetic data and health data of the patients in a "Hospital Information System"||ja|
|The use of a camera system to observe driving behavior on a road. The person responsible is planning the use of an intelligent video analysis system that can identify vehicles on the basis of license plates||ja|
|A company observes the conduct of its employees; in particular, the employee is observed at his/her place of work and in terms of his/her use of the Internet||ja|
|The collecting of public social media profiles for the purpose of compiling lists of addresses for the private sector||ja|
|An online magazine uses a mailing list to send a general daily newsletter to the subscribers.||not necessarily|
|A web shop shows advertising for spare parts for vintage cars on the basis of limited user profiles that take account of the purchasing conduct on this website||not necessarily|
These examples are the most specific references currently available for checking the elements of Art. 35 Subsection 1 GDPR, even if they do not permit an assessment of all case constellations by far. In many cases, the general legal advice therefore remains applicable for the time being - it is better to carry out a DPIA to be on the safe side than not to.
Content requirements for performance of the DPIA
The guideline of the WP 29 makes it explicitly clear that Art. 35 GDPR contains only very general generic framework conditions for the performance of a DPIA. As a result and as explicitly stated by the WP 29, each person responsible has major flexibility to determine the precise structure and form of the DPIA himself/herself.
The WP 29 draws attention to the fact that the DPIA can be understood as a general tool of a company's risk management, and that all common standards and approaches for risk management and risk assessment, such as ISO 31000, can (not must) therefore be taken into account.
Consequently, even the WP 29 shies away from recommending a specific, detailed "well-run-through" approach. Instead, Annex 1 refers to six further "frameworks" for the performance of a DPIA that have thus far been created by different EU data protection supervisory authorities or by the WP 29. Reference is also made to the fact that an ISO standard for the performance of a DPIA is being prepared (ISO/IEC 29134).
All the same, the claim will be made that, when considering the checklist-style compilation of the criteria of a DPIA as per Annex 2 of the guidelines, evidence of compliance with the GDPR should be enabled. Annex 2 does indeed offer a summarized, compact checklist set out on one page which, compared to other abstract comments that cover many pages, can be assessed as relatively practically oriented. Nevertheless, a number of balancing decisions must be taken within the scope of the specific implementation. The WP 29 "sells" this as a positive effect of its checklist which, on the one hand, "contains the fundamental requirements of the GDPR" and, on the other hand, "leaves sufficient leeway for various forms of implementation".
Overall, the GDPR obliges companies to ensure a very high level of documentation. At least specific proposals concerning the content and performance of a DPIA are now provided through the checklist in Annex 2 of the guidelines. As this is a draft version of the guidelines, it is likely to be worthwhile waiting for the final version.