Regarding open action no 59

Dear all,

as agreed recently, I've had a look at the former Art. 29 Working 
Party's (now: European Data Protection Board, EDPB) criteria in which 
cases they consider an obligation to conduct a data protection impact 
assessment (DPIA).

So, there are nine criteria explained in their document WP248 rev.01 
(see pages 9 f.). I've attached the document for your convenience. When 
one or several of the criteria are given, the EDPB assumes that the 
intended personal data processing entails a 'high risk', which as a 
consequence triggers the DPIA requirement:

 1. Evaluation or scoring, including profiling and predicting (e.g. by
    credit rating systems of banks)
 2. Automated-decision  making  with  legal or similar significant  effect
 3. Systematic monitoring (of persons, e.g. in networks or public areas)
 4. Sensitive data or data of a highly personal nature involved (Art. 9+
    10 data, but not exclusively, context-dependent)
 5. Data  processed  on  a  large  scale
 6. Matching or combining datasets
 7. Data concerning vulnerable data subjects (e.g. children, mentally
    ill people, patients..)
 8. Innovative use or applying new technological or organisational solutions
 9. When the processing in itself “prevents data subjects from
    exercising a right or using a service or a contract” (Article 22 and
    recital 91).

All these criteria explained in detail in their document I mentioned 
above. However, from my point of view all of them are rather 
context-dependent, which would make it difficult to express any of them 
in a data privacy vocabulary. I imagine at least capturing the data 
categories themselves would be the best we can do in that regard, but 
I'd be happy to discuss that with you. :)



Received on Tuesday, 12 February 2019 12:43:07 UTC