- From: Eva Schlehahn <uld67@datenschutzzentrum.de>
- Date: Tue, 12 Feb 2019 13:42:25 +0100
- To: public-dpvcg@w3.org
- Message-ID: <2602ae3c-2943-aab1-94a4-f5a862d3c283@datenschutzzentrum.de>
Dear all,
as agreed recently, I've had a look at the former Art. 29 Working
Party's (now: European Data Protection Board, EDPB) criteria in which
cases they consider an obligation to conduct a data protection impact
assessment (DPIA).
So, there are nine criteria explained in their document WP248 rev.01
(see pages 9 f.). I've attached the document for your convenience. When
one or several of the criteria are given, the EDPB assumes that the
intended personal data processing entails a 'high risk', which as a
consequence triggers the DPIA requirement:
1. Evaluation or scoring, including profiling and predicting (e.g. by
credit rating systems of banks)
2. Automated-decision making with legal or similar significant effect
3. Systematic monitoring (of persons, e.g. in networks or public areas)
4. Sensitive data or data of a highly personal nature involved (Art. 9+
10 data, but not exclusively, context-dependent)
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects (e.g. children, mentally
ill people, patients..)
8. Innovative use or applying new technological or organisational solutions
9. When the processing in itself “prevents data subjects from
exercising a right or using a service or a contract” (Article 22 and
recital 91).
All these criteria explained in detail in their document I mentioned
above. However, from my point of view all of them are rather
context-dependent, which would make it difficult to express any of them
in a data privacy vocabulary. I imagine at least capturing the data
categories themselves would be the best we can do in that regard, but
I'd be happy to discuss that with you. :)
Greetings,
Eva
Attachments
- application/pdf attachment: 2017-10-04_wp248_rev01_Guidelines_on_DPIA_updated.pdf
Received on Tuesday, 12 February 2019 12:43:07 UTC