The Spanish Data Protection Agency has published a list of processing operations for which a privacy impact assessment is mandatory

By Paula Garralon

05-2019

After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency ("AEPD") released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment

According to Article 35 of the General Data Protection Regulation (GDPR), data controllers are obliged to carry out a Data protection impact assessment (PIA) prior to the implementation of such processing activities when, taking into account their nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons. According to the GDPR the risk will increase when the processing is carried out using "new technologies".

Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.

Below is the list of processing operations, which should be understood as a non-exhaustive list:

  1. Profiling or evaluation of natural persons, including the collection of data from multiple areas of the data subject´s life (job performance, personality and behavior), covering various aspects of his personality or habits.
  2. Automated decision making or processing that greatly contributes to the making of such decisions, including any type of decision that prevents data subjects from exercising a right or access to a good or service or from being part of a contract.
  3. Systematic and exhaustive observation, monitoring, supervision, geolocation or control of the data subject, including the collection of data and metadata through networks, applications or in publicly accessible areas, as well as the processing of unique identifiers that allow the identification of users of information society services such as web services, interactive TV, mobile applications, etc.
  4. Processing special categories of data referred to in Article 9(1) of the GDPR, data related to convictions or criminal offences referred to in Article 10 of the GDPR or data that makes possible to determine the financial situation or creditworthiness or to deduce information on persons relating to special categories of data.
  5. Use of biometric data for the purpose of uniquely identifying a natural person.
  6. Use of genetic data for any purpose.
  7. Use of data on a large scale. In determining whether a processing can be considered on a large scale the criteria set out in the Article 29 Working Party's guide WP243 "Guidelines on Data Protection Officers (DPOs)" will be considered.
  8. Association, combination or linking of database records of two or more processing for different purposes or by different data controllers.
  9. Processing of data concerning vulnerable data subjects or those at risk of social exclusion, including children under 14 years of age, elderly with some degree of disability, disabled, persons accessing social services and victims of gender-based violence, as well as their descendants and persons in their care and custody.
  10. Use of new technologies or an innovative use of established technologies, including the use of technologies on a new scale, with a new objective or combined with others, in such a way as to involve new forms of collection and use of data with risk to the rights and freedoms of individuals.
  11. Processing of data that prevents data subjects from exercising their rights, using a service or performing a contract, such as processing where the data have been collected by a data controller other than the one who is going to process it and applies one of the exceptions on the information to be provided to data subjects under Article 14.5 (b,c,d) of the GDPR.