In line with the Article 35(4) of the GDPR, the Polish Data Protection Authority prepared and published a draft list of the kind of processing operations subject to mandatory data protection impact assessment.

According to the authority statements, the list is based on more than twenty years of experience of the authority and reflects the requirements toward DPIAs highlighted by the Article 29 Working Party in Guidelines on Data Protection Impact Assessment and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01.

The list is quite detailed and, as it currently stands, covers 10 kinds of processing operations. Each kind of operation is followed by examples of “processing operations that is likely to result in a high risk,” as well as few examples of business or public sectors where such processing can potentially occur.

The un-official English translation of the document issued by the DPA is available in the IAPP Resource Center. (pdf 182KB)

The original document is available here.

Most impacted businesses and sectors

Based on the list, it seems that for the DPA, the processing of personal data in some business sectors is more likely to result a high risk than in others.

For instance, profiling users of social networks and other applications for purposes of sending unsolicited correspondence will require a DPIA based on the draft list. Further, banks will be required to carry out DPIAs in the case of creditworthiness ratings or using proprietary algorithms and data disclosure requests not directly related to risk assessment.

For insurance companies, the DPIA will be mandatory if the data is processed for the purpose of maximizing the profits (increasing the price the data subjects pay) by the assessment of lifestyle, nutrition habits, driving skills, ways of spending time, etc.

Online stores offering promotional prices for specific groups of clients will be required to conduct DPIAs in when using customer profiling systems to identify purchase preferences or setting promotional prices based on the profile. The same applies to loyalty programs containing elements of profiling people.

The list of necessary DPIAs from the employers perspective

The list prepared by Polish DPA shall also have an influence on the scope of DPIAs to be carried out by employers, irrespective of the business sector. The following processing activities — important probably for each employer — have been indicated as requiring the DPIA analysis:

  • Automatic monitoring of working time (via access control systems using proximity cards); this processing activity has been grouped as a systematic monitoring of a publicly accessible area on a large scale.
  • Automatic monitoring of employees work (e.g., their internet activity, e-mail use, etc.), this processing activity has also been grouped as a systematic monitoring of a publicly accessible area on a large scale.
  • Use of biometric data of employees for access control or measuring work time (due to the use of special categories of personal data).
  • Employees assessment on the basis of observation of their work on computers (if processed on a large scale).
  • Processing employee personal data on the basis of the employee’s consent (if the scope of personal data is broader than enlisted in law and the data processing includes an analysis of personal data acquired from more than one source).
  • Recruitment systems used by recruitment agencies which matchmake candidates with potential employers (candidates being dependent on a decision of such agencies).
  • Whistleblowing hotlines for employees (for reporting improper behaviour).
  • Creating or storing employment documentation in a centralised database (common for a group of companies) where this activity results in a transfer of personal data to a third country.

On the basis of this list it can be summarized that the Polish DPA sees the need for the risk assessment in cases where employees’ personal data is processed on a large scale, where there is an extensive use of special categories of personal data, analysis of data is made on the basis of a combination of datasets, or the data is transferred to a third country.

Comparing this list to the DPIA assessment criteria prepared by WP29 in its guidelines on DPIA, the list reflects the outcome of application of such criteria in a majority of cases.

Next steps

Stakeholders are now invited for consultation of the list until April 28.

At the same time, based on Article 35(5) of the GDPR, the DPA considers creating and publishing of a list of kinds of processing operations where the DPIA is not mandatory.

photo credit: Polish flag via photopin(license)