In 2018, IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, wrote about the European Data Protection Board’s opinions of the EU General Data Protection Regulation Article 35(4) draft lists submitted by 22 supervisory authorities. These so-called "blacklists" identify data-processing activities likely to result in a high risk to the rights and freedoms of natural persons and, therefore, obligate a data protection impact assessment.

Since then, the European Data Protection Board has issued nine new opinions on the data protection impact assessment blacklists submitted by Croatia, Cyprus, Denmark, Iceland, the Principality of Liechtenstein, Luxembourg, Norway, Slovenia and Spain. Additionally, the EDPB published three opinions on Article 35(5) “whitelists,” submitted by the SAs of the Czech Republic, France and Spain. These lists include processing operations that are unlikely to result in a high risk and therefore do not require a DPIA. Unlike blacklists, which SAs must submit to the EDPB under Article 35(4) of the GDPR, whitelist submission is not mandatory. This piece will introduce the contents of this set of blacklist and whitelist opinions and discuss what is new.

What is subject to a DPIA under GDPR? 

This round of new opinions spans numerous issues, including some from the first 22 blacklists, such as references to the Working Party 29 Guidelines on DPIAs (WP248); biometric, genetic and location data; employee monitoring; and exceptions to information to be provided to the data subject under Article 14 (5)5 of the GDPR. The EDPB also addressed issues concerning the scope of the draft decisions and processing by sensor devices. Additionally, there are several miscellaneous blacklist items that the board states must be processed in conjunction with another criterion to require a DPIA.

Remarkably, the blacklist submitted by Denmark's SA (link in Danish) contains no recommendations from the EDPB, as the board is of the opinion that the Danish blacklist “does not contain any dispositions that may lead to an inconsistent application of the requirement to conduct a (DPIA).” Therefore, the opinions of the EDPB on eight of the nine new draft blacklists are discussed below.

Reference to the guidelines

The EDPB refers to the analysis done by the WP29 Guidelines WP248 as “a core element for ensuring consistency across the Union” and requests that the different SAs add a statement to their lists that “clarifies their list is based on these guidelines and that it complements and further specifies the guidelines.” Specifically, the EDPB advises the Cypriot and Croatian authorities to add this statement to their list. The board requests that the Croatian and Cypriot lists include an explicit reference to the WP29 guidelines, a statement that clarifies the list is based on those guidelines, and a statement that the list clarifies and complements the guidelines.

Biometric data

The EDPB acknowledges that processing biometric data to uniquely identify a natural person is not likely to represent a high risk on its own. The board advises the SAs of Croatia, Luxembourg and Slovenia to amend their lists to include the processing of biometric data to uniquely identify a natural person in conjunction with at least one other criterion to require a DPIA.

The Spanish authority's blacklist does not require a DPIA for the processing of biometric data to uniquely identify a natural person. The EDPB requests that the Spanish authority rectify its blacklist by including biometric data processing to uniquely identify a natural person in conjunction with at least one other criterion as warranting a DPIA.

The board comments that the wording in the blacklist submitted by the Lichtenstein SA is “not clear enough” regarding the meaning of “extensive processing of biometric data.” The EDPB is unsure whether “extensive” means the processing is made on a large scale or whether the processing is systematically used. If “extensive” means large-scale processing, then the board requests that the Lichtenstein SA modify their description to “clearly make a reference to this criterion.” Otherwise, if “extensive” means systematic processing, the board requests that the Lichtenstein SA add another criterion to this item to “ensure consistency.”

The list submitted by the Cypriot SA includes large-scale biometric and genetic data processing as an activity that requires a DPIA. The board indicates that the phrasing of this item may imply that the large-scale processing of biometric data is jointly conducted with genetic data processing. However, the processing of “biometric and genetic data” needs to be a “disjunctive condition.” Thus, the board suggests divorcing the reference to biometric and genetic data to become “biometric or genetic data” in the Cypriot blacklist.

Genetic data

The EDPB is of the opinion that processing genetic data in conjunction with another criterion requires a DPIA to be carried out. The blacklist of the Spanish SA does not require a DPIA for the processing of genetic data. Thus, the EDPB asks that the Spanish SA change its list by including an explicit reference to the processing of genetic data in conjunction with at least one other criterion, to be applied “without prejudice to Article 35(3) GDPR.”

Conversely, the blacklists of the Croatian, Liechtenstein and Luxembourgian SAs state that the processing of genetic data on its own creates the obligation to conduct a DPIA. The board notes that the processing of “genetic data on its own is not necessarily likely to represent a high risk.” Therefore, the board recommends these SAs modify their lists to reflect that a DPIA is only required when genetic data is processed in conjunction with at least one other criterion.

The blacklist of the Slovenian SA deems a DPIA necessary when the processing of sensitive data occurs in conjunction with another criterion from the list. However, the board considers this only an “implicit” reference to the notion that the processing of genetic data in conjunction with at least one other criterion requires a DPIA to be conducted. The board recommends the Slovenian SA explicitly include the processing of genetic data in its DPIA list as a criterion that “when occurring together with another criterion from the list leads to a DPIA being compulsory.”

Location data

The EDPB notes that most of the blacklists submitted explicitly include a reference to the processing of location data. The Cypriot SA draft blacklist does not include this reference; hence, the board requests that the Cyprus blacklist be revised to contain the processing of location data together with another criterion.

Sensor devices

The EDPB requests that the SA of Croatia remove the reference to “processing of personal data generated by Sensor Devices” from its blacklist. In its opinion on the Croatian draft blacklist, the board states that the processing of personal data generated by “sensor devices transmitting data over the Internet or other information transfer technologies” should not be a criterion that creates an obligation for a DPIA. The EDPB states that this item is not necessarily likely to represent a high risk “alone or with another criterion” given that the current wording is “overly broad in scope.”

Employee/workplace monitoring

The blacklists submitted by the SAs of Iceland, Norway, Liechtenstein include data processing related to the “systematic monitoring” of employees or the workplace. In all four opinions, the EDPB recalls that WP249 of the WP29 guidelines remain valid when "defining the concept of systematic processing of employee data." In particular, the board acknowledges that the Cypriot opinion includes the type of employee (“vulnerable data subject”) monitoring that meets the criterion of "systematic monitoring in the guidelines." According to the EDPB, the Cypriot SA’s blacklist already "envisages" this type of processing as requiring a DPIA and only recommends explicitly referring to vulnerable data subject criteria and the systematic monitoring criteria in the WP29 Guidelines WP248.

Exception to information provided to the data subject under Article 14(5)

The Liechtenstein draft blacklists require a DPIA for processing of data where Article 14(5)(b) of the GDPR applies extensively. The board writes that the wording used to describe the type of processing is “not clear enough” regarding whether “extensive nature of processing” means that the processing is made on a large scale or whether the processing is systematically used. If the Liechtenstein SA intends “extensive” to mean “on a large scale,” then the board recommends modifying this description to clarify this criterion. Otherwise, if the Liechtenstein SA means that the criterion is systematically used, then the board advises the SA to include another criterion to ensure consistency.

Other types of processing that require a DPIA in conjunction with at least one other criterion

The EDPB advises that the following five items from the Liechtenstein SA blacklist and two items from the Luxembourgian SA blacklist do not on their own consist of the type of high-risk processing that would require a DPIA. The board recommends modifying the Liechtenstein SA blacklist to include these processing activities in conjunction with another criterion to mandate a DPIA. These processing activities are listed below:

  Liechtenstein

• Processing data using new/innovative technology.
• Systematic tracking.
• Combining or matching personal data obtained from multiple sources and further processing thereof.
• Denial of service based (not solely) on automated decision making (including profiling).
• Processing of personal data if the data are evaluated, processed and used by the authorities concerned and forwarded to law enforcement authorities.

  Luxembourg

• Indirect collection of personal data when it is not possible/feasible to guarantee the right of information (Article 14(5) GDPR).
• Systematic monitoring of publicly accessible areas.

What is not subject to a DPIA under GDPR? 

Under Article 35(5) of the GDPR, SAs may publish lists of “processing operations for which no data protection impact assessment is required,” also known as “whitelists.” Unlike blacklists, which SAs must submit to the EDPB under Article 35(4) of the GDPR, whitelist submission by SAs is not mandatory.

In 2019, the EDPB issued three opinions on the draft whitelists submitted voluntarily by the SAs of the Czech Republic, France and Spain. In these opinions, the EDPB explains that whitelists contain the types of processing operations for which the SAs “are certain that, under no circumstances, they will result in a high risk” to the “rights and freedoms of natural persons.” This includes processing operations that the SAs “deem unlikely” to result in a high risk and, therefore, do not require a DPIA. The EDPB observes that by nature whitelists “cannot enumerate” every instance in which a DPIA is not necessary, thus “no list can be exhaustive.”

In the opinions, the EDPB comments that if a certain processing activity does not fall under the scope of either an Article 35(4) blacklist, an Article 35(5) whitelist or the list of activities in Article 35(3), then the data controller will have to make an “ad hoc decision” on whether the processing activity is likely to result in a high risk.

Additionally, the EDPB used these opinions to acknowledge that its Article 35(4) blacklist opinions aimed at “defining a consistent core of processing operations” and that no whitelist may “exempt these general processing operations as a rule.”

While the SA draft whitelists are subject to the consistency mechanism, the EDPB warns that this does not mean any two whitelists should be identical as the SAs consider their local legislation.

All three opinions contain some similar information regarding the need to give reference to the guidelines and the significance of the items of the Article 35(5) lists, which are discussed below. However, all three EDPB opinions contain different categories of processing that vary between the Czech, French and Spanish SAs. Each opinion contains descriptions for each processing activity, with little overlap of activity types in between.

This article groups these disparate EDPB whitelist recommendations into the following categories: activities relating to business operations; activities relating to past or present guidelines and legal requirements; broad exceptions that require restrictions; items that need removal from whitelists; and list of items considered out of scope of Article 35(6).

Reference to the guidelines

Much like the blacklist opinions, all whitelist opinions refer to the analysis done in the WP29 Guidelines WP248 as a “core element” for “ensuring consistency” across the EU. Accordingly, the EDPB recommends each whitelist contain a statement that clarifies that the whitelist is based on the WP29 Guidelines and that the whitelist “complements and further specifies the guidelines.”

Significance of the items of the Article 35(5) GDPR list

In all three whitelist opinions, the EDPB cautions that even if a processing activity falls under Article 35(5) and thus does not require a DPIA, it “does not mean that a controller is exempt from the general obligations of the GDPR.” Specifically, the opinions prescribe that all SAs include in their whitelists a paragraph that “mentions the distinction in the application of Article 32 and 35 of the GDPR.”

Article 32 of the GDPR discusses “security of processing” and includes details of technical and organizational security measures, assessments of risks, and assessments of the likelihood and severity of those risks. It appears the EDPB is advising organizations to not neglect their Article 32 duties even when their processing operations are unlikely to result in a high risk. Consequently, even when an organization is not required to perform a DPIA, it should still ensure that they have adequate security measures and assessments to remain compliant under Article 32.

Activities relating to business operations

The following whitelist items fall into the category of business operations that includes processing related to direct marketing, human resources and the recovery of debt. Generally, the EDPB recommends excluding the processing of sensitive data or data of highly personal nature and excluding data processing on a large scale.

  Processing related to business activities (Czech Republic)

The EDPB in its opinion of the Czech whitelist states that processing relating to business activities is a broad item that might involve categories of personal data likely to pose a high risk. Thus, the board recommends restricting the scope of this item by only covering business-to-customer relations, excluding the processing of sensitive data or data of highly personal nature and excluding large-scale data processing.

Processing operations consisting in direct marketing (Czech Republic)

The EDPB advises that this item on the Czech whitelist is too broad and may include processing of personal information likely to pose a high risk. The board proposes limiting the scope of this item by explicitly excluding the processing of “special categories of data and data of a highly personal nature” and excluding processing that deliberately targets “vulnerable data subjects.”

  Processing personal data in the context of human resources (France)

In the opinion on the French whitelist, the EDPB details that processing personal data in the context of HR is a broad item that may involve high-risk processing of personal data. However, the French whitelist restricts this whitelist item to only non-large-scale processing by employers with less than 250 employees that is mandated by law. Therefore, the EDPB "deems this list item in accordance with Article 35(5) GDPR."

Recovery of debt (France)

The EDPB observes that the French SA's inclusion of processing activities conducted in the context of recovering a debt is a broad item and may including processing of personal data that is likely to pose a high risk. The board advises the French SA to restrict the scope of these processing activities to "debts which have been acquired from a third party" and only for debts owed in the context "of a business to consumer relationship." Moreover, the board encourages the French SA to explicitly exclude "evaluation and scoring" from the scope of debt recovery processing activities.

  Activities relating to past or present guidelines and legal requirements (Spain)

The Spanish SA, in particular, includes several items in its whitelist that discuss processing data under some law or official guideline. The EDPB comments on each of these items and generally advises that processing under legal guidelines to comply with a legal requirement or to complete a mission still requires a DPIA to be performed.

Processing under guidelines established by or previously authorized by supervisory bodies

The EDPB points out that this item in the Spanish whitelist is “closely related” to Recital 171 of the GDPR and is addressed in the WP29 Guidelines on DPIA. The EDPB suggests the Spanish SA clarify that this exemption is valid only if the processing has “not changed since it was authorized.”

Processing under the guidelines of codes of conduct

The EDPB states that processing under the guidelines of codes of conduct approved by a SA or the European Commission does not inherently remove the obligation to perform a DPIA. The board suggests the Spanish SA specify that this covers only processing under an approved code of conduct that has already been subject to a DPIA and for which relevant safeguards have been implemented.

Processing carried out to comply with a legal requirement or to complete a mission

The EDPB warns that this item by itself does not “lift the obligation to perform a DPIA” and advises the Spanish SA to revise its list to restrict this item to situations in which a DPIA has already been performed.

Broad exceptions that require restriction

The whitelists from all three SAs include items that the EDPB considers overly broad and recommends the items be restricted. This category includes items related to workplace activities and HR, processing by professional colleges and nonprofit associations, and breathalyzer tests.

  Accounting, human resources and social and health insurance processing (Czech Republic)

In the Czech whitelist, the EDPB notes that the processing of accounting, HR and social and health insurance data is “a broad item” and may involve categories of personal data that are likely to pose a high risk. The board recommends restricting this category to non-large-scale processing that is mandatory by law.

  Managing access controls and work schedules (France)

In its opinion of the French whitelist, the EDPB states that processing activities in the context of managing access controls and work schedules is a "broad item" and may include high-risk processing. The EDPB recommends the French SA restrict this item to only cover processing that does not reveal sensitive data or "data of a highly personal nature." Moreover, the board recommends restricting the scope of "access control" to processing activities only in the context of “standard and non-biometric mechanisms aimed at controlling physical access” and restrict the scope of “work schedules” to processing activities with “the sole purpose of calculating working times.”

  Processing of human resources accounting and social security data by SMEs (Spain)

The EDPB opinion of the Spanish whitelist states that this category of processing is a broad item that may involve categories of personal data likely to pose a high risk. The board suggests limiting this item to processing operations mandated by law.

Processing by professional colleges and nonprofit associations (Spain)

The EDPB cautions that this item on the Spanish whitelist is too broad and may involve categories of personal data that is likely to pose a high risk in processing. The board advises the Spanish SA to restrict this item to processing that exclusively concerns the management of personal data in reference to “members and donors of the data controllers listed therein."

  Breathalyzer tests (France)

The French whitelist includes processing related to breathalyzer tests in the context of "transport activities." The EDPB indicates that this item is too broad and may involve high-risk processing of personal data. The board encourages the French SA to restrict this item to cases where the processing of such data is mandatory by law and where the sole purpose of processing is "preventing drivers from operating vehicles while under the influence of alcohol or narcotics."

Items that need removal from whitelists

The following is a grouping of whitelist items which the EDPB suggests the SAs remove from their whitelists.

Processing to protect the vital interests of the data subject (Spain)

The EDPB acknowledges that this item on the Spanish SA whitelist is not a processing activity but a legal ground for lawful processing. Because the board uses the nature of the processing and not the nature of the legal grounds to determine whether a processing activity is likely to result in a high risk, the board recommends the Spanish SA remove this item from its whitelist.

Tachographs (France)

The French whitelist includes processing related to tachographs in the context of “transport activities.” The EDPB states that this item is too broad and may involve high-risk processing. The board suggests that the French SA remove this item from its list.

Processing involving the taking of footage by a camera installed on a vehicle (Czech Republic)

The EDPB notes the Czech Republic’s inclusion of automobile camera footage in its whitelist might involve categories of personal data that may lead to high-risk processing. The board advises the Czech SA to exclude this item from the list.

List of items considered out of scope of Article 35(6)

The EDPB states the opinions do not comment upon items considered to be outside the scope of Article 35(6). These are items that either do not relate “to the offering of goods or services to data subjects” in several EU member states, the “monitoring of the behavior of data subjects in several Member States,” or “not likely to substantially affect the free movement of personal data within the union.” In a footnote, the EDPB warns that the list of items considered outside the scope of Article 35(6) in each opinion is “strictly tied” to the specific SA whitelist in question and “does not apply necessarily to similar items in the lists submitted by other (SAs).” These lists are provided below, organized by nation:

  Czech Republic

• “Processing operation or set of processing operations regulated by law, on condition that a DPIA has been done within the process of a general assessment of impacts of the intended piece of legislation and the processing operation is not incorporated into a common system of the controller and interconnected with other processing operations carried out by the same controller[.]”

  France

• “Processing implemented under the conditions provided by the law relating to the management of the electoral register of municipalities.
• Processing carried out by the clerks of commercial courts for the purpose of carrying out their activity.
• Processing carried out by notaries for the purpose of carrying out their notarial activity and the drafting of notarial office documents.
• Processing carried out by local authorities, as well as legal persons covered by public and private law, for the management of schools, as well as extracurricular and early childhood services.”

  Spain

• “Processing carried out by owners’ associations and sub-associations in multi-occupancy properties, according as these are defined at Article 2 (a, b, and d) of Law 49/1960 on Horizontal Property.”

Per the consistency mechanism, the SAs shall communicate their final decisions to the EDPB for inclusion in the register of decisions. To date, the register contains the final whitelist of France. Through these new opinions, the EDPB offers clarity on the instances in which a DPIA is needed and when it is not, providing greater harmonization and consistency to the application of the GDPR. Per the consistency mechanism, the SAs shall communicate their final decisions to the board for inclusion in the EDPB’s register of decisions.

Photo by Steve Johnson on Unsplash