EU DPAs consult on Data Protection Impact Assessments



The EU Article 29 Working Party is inviting comments on its proposed guidelines on Data Protection Impact Assessments (DPIAs). DPIAs are mandatory under the EU General Data Protection Regulation (GDPR) when processing is “likely to result in a high risk”. The DPAs say that the following processing situations are likely to present this kind of risk:

  • Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”.
  • Automated-decision making with a legal or similar significant effect.
  • Systematic monitoring.
  • Sensitive data.
  • Data processed on a large scale (looking at the number of data subjects concerned, the volume of data, the duration, or permanence, of the data processing activity, and the geographical extent of the processing activity).
  • Datasets that have been matched or combined.
  • Data concerning vulnerable data subjects.
  • Innovative use or applying technological or organisational solutions.
  • Data transfers across borders outside the European Union.
  • When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.

Non-compliance with DPIA requirements can lead to fines. To help companies comply, supervisory authorities are required to establish, make public and communicate a list of the processing operations that require a DPIA to the European Data Protection Board (EDPB). The DPAs says that the above list is a starting point to which they can add later.

Comments should be sent by 23 May 2017 to JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr. See the guidelines