Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. Article 35.3 of the GDPR provides a non-exhaustive list of examples of data processing activities that require DPIAs. The Article 29 Working Party Guidelines on DPIAs also offer help in identifying when DPIAs are necessary.

In line with their obligations under Article 35.4, the supervisory authorities of 22 Member States submitted draft lists to the European Data Protection Board identifying data processing activities likely to result in a high risk and therefore require DPIAs. The EDPB subsequently issued opinions on each of these lists, pursuant to its responsibilities under Article 64.1. This “global assessment” of the draft lists was aimed at “creat[ing] a harmonized approach” and “promot[ing] consistency” in processing that “can affect the free flow of personal data or natural person[s] across the European Union.” The Board requested that the SAs include certain types of processing in their lists, remove other types that the Board did not consider as creating high risks for data subjects, and “use some criteria in a harmonized manner.”

In general, the EDPB did not comment on items outside the scope of Article 35.6. In addition, the EDPB explained that each SA has “a margin of discretion with regard to the national or regional context and should take into account their local legislation.” Most importantly, while these lists are subject to the consistency mechanism and harmonization is desirable, the Board noted that the lists do not have to be "identical.” The EDPB’s stated aim was “not to reach a single EU list but rather to avoid significant inconsistencies that may affect the equivalent protection of the data subjects.”

The EDPB’s Opinions on the 22 Draft Lists

The EDPB’s analyses of the draft lists addressed a variety of issues, including their indicative nature and their references to the Working Party 29 Guidelines on DPIAs (WP 248). The EDPB’s opinions also addressed large-scale processing; biometric, genetic, and location data; data collected from third parties (vis-à-vis Article 19); employee monitoring; exceptions to information to be provided to the data subject according to Article 14.5; processing for scientific or historical purposes; and processing using new/innovative technology. The EDPB’s opinions on when these types of processing require a DPIA, and its suggested amendments to the draft lists, are described below.

Indicative nature of the lists

According to the EDPB, all of the submitted lists are to be interpreted as further specifying Article 35.1, which it stated “will prevail in any case.” Thus, it emphasized that none of the lists should be considered exhaustive, and it requested that each list include an explicit statement about the non-exhaustive nature of the list (if omitted). Only the lists of Belgium, Greece, Hungary, the Netherlands, Portugal, Sweden, and the U.K. already had such a disclaimer.

References to the guidelines

In its opinions, the Board referred to the analysis done by the Working Party 29 Guidelines WP248 as “a core element for ensuring consistency across the Union.” Thus, the Board requested that each SA clarify that its list “is based on these guidelines” and that it “complements” and “further specifies” them. None of the lists, except for the one submitted by the SA of the Netherlands, contained such a reference.

In particular, the WP 248 guidelines provide nine criteria, each of which, when met, make it more likely that processing will present a high risk to the rights and freedoms of data subjects and require a DPIA. In its opinions, the EDPB stressed that the lists provided by the SAs specify that the processing of certain types of data, such as biometric or genetic data, should only require a DPIA when at least one of these other criteria is also met. These nine criteria include: evaluation or scoring, such as building a behavioral or marketing profile of a website user; automated-decision making, which may lead to exclusion or discrimination; systematic monitoring; sensitive data or data of a highly personal nature, such as medical records; data processed on a large scale; matching or combining datasets; data concerning vulnerable data subjects, such as children, employees, or the elderly; innovative use or applying technological or organizational solutions, such as using fingerprints or facial recognition for physical access control; and when the processing in itself “prevents data subjects from exercising a right or using a service or a contract.”

Large-scale data processing

Regarding what constitutes large-scale processing, the Board advised the Czech, Estonian, and Greek SAs to delete explicit figures from their lists, and instead refer to the definitions of “large scale” provided in the WP29 guidelines on Data Protection Officers (WP 243) and DPIAs (WP 248), which take into account several specific factors to determine whether processing is being carried out on a large scale.

Biometric data

One group of lists (submitted by the SAs of Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Greece, Romania, Slovakia, and Sweden) envisages that “the processing of biometric data for the purpose of uniquely identifying a natural person, in conjunction with at least one other criterion, requires a DPIA.” The EDPB acknowledged that these lists align with the aim of consistency and did not recommend any amendments to them regarding their references to biometric data.

A second group of lists (submitted by the SAs of Hungary, Ireland, Italy, Lithuania, Malta, Portugal, and the United Kingdom), however, state that the processing of biometric data on its own would create the obligation to perform a DPIA. In its opinions directed at these SAs, the Board stated its belief that “the processing of biometric data on its own is not necessarily likely to represent a high risk.” It thereby requested these SAs to amend their lists to indicate that the processing of biometric data to uniquely identify a natural person in conjunction with at least one other criterion would require a DPIA to be carried out.

A third group (submitted by the SAs of Latvia, Germany, the Netherlands, and Poland) did not require a DPIA to be done for the processing of biometric data for the purpose of uniquely identifying a natural person. The EDPB therefore requested these SAs to amend their lists in line with its opinion that biometric data processing to uniquely identify a natural person, in conjunction with at least one other criterion, warrants a DPIA.

Genetic data

As with biometric data, the Board stated in multiple opinions that “the processing of genetic data in conjunction with at least one other criterion requires a DPIA to be carried out.” While the lists from the Austrian, Belgian, Bulgarian, Czech, Dutch, Greek, Romanian, Slovakian, and Swedish SAs were consistent with this opinion, the lists submitted by the Estonia, German, Polish, and Portuguese SAs did not require a DPIA for the processing of genetic data. Thus, the Board asked the SAs in the latter group to amend their lists to explicitly state that a DPIA is required whenever genetic data is processed in conjunction with at least one other criterion.

Meanwhile, the lists provided by the SAs of Finland, France, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, and the UK state that the processing of genetic data on its own creates the obligation to conduct a DPIA. In its opinions directed at these SAs, the Board made it clear that it “is of the opinion that the processing of genetic data on its own is not necessarily likely to represent a high risk.” Thus, it requested these SAs to amend their lists in line with the notion that a DPIA is required only when genetic data is processed in conjunction with at least one other criterion.

Location data

The lists submitted by SAs of Germany, Ireland, the Netherlands, Portugal, and the United Kingdom require a DPIA to be carried out when location data is processed on its own. The Board requested that these SAs amend their lists to be consistent with the opinion that “the processing of location data requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion.”

Also, as the lists submitted by the Bulgarian, Finnish, French, Hungarian, Latvian, Polish, and Slovakian SAs do not contain a reference to location data, the Board advised them to include the processing of location data, together with another criterion, on their lists.

Data collected via third parties (GDPR Article 19)

In multiple opinions, the Board stated that “a processing activity conducted by the controller under article 19 GDPR and where the information of recipients would prove impossible or require a disproportionate effort only requires a DPIA to be carried out when this processing involves at least one other criterion.” The Board specifically took note of the lists from the Belgian, Latvian, Slovakian, and UK SAs, all of which include this criterion.

Because the lists of the German and Hungarian SAs state that this type of processing on its own would necessitate the conduct of a DPIA, the Board requested these SAs to amend their lists to be in line with the belief that this type of processing only requires a DPIA when done in conjunction with at least one other criterion.

Employee monitoring

Regarding employee monitoring, the Board noted that, “due to its specific nature, the employee monitoring processing … could require a DPIA.” The Board suggested it would only be required, however, if the criteria of vulnerable data subjects and systematic monitoring were met. Given that most lists envisage a DPIA to be required for employee monitoring processing, the Board recommended that explicit reference be made in these lists to these two criteria. All of the SAs, except for those of Austria, Bulgaria, Finland, and Greece, received this recommendation. Furthermore, the Board noted that “the WP249 of the Article 29 working party remains valid when defining the concept of the systematic processing of employee data.”

Exceptions to information to be provided to the data subject according to Article 14.5 GDPR

Article 14.5 contains several exemptions to the requirement for data controllers to provide information to data subjects. According to the Board, a processing activity conducted under this article, where information is subject to an exemption under 14.5 (b)-(d), “could require a DPIA to be carried out only in conjunction with at least one other criterion.”

The lists submitted by several SAs, however, require a DPIA to be carried out for the processing of data where Article 14.5 (b)-(d) applies on its own. The Board thus recommended that these lists — submitted by the SAs of Bulgaria, Finland, Lithuania, the Netherlands, Portugal, Slovakia, and the U.K. — be amended to reflect its opinion that this type of processing only requires a DPIA when done in conjunction with at least one other criterion, which the Board noted is included in the list submitted by the SA of Greece.

Processing for scientific or historical purposes

The Board stated in its opinions that the processing of personal data for scientific or historical purposes “on its own is not necessarily likely to represent a high risk,” but should require a DPIA only when done in conjunction with at least one other criterion. While it noted the inclusion of this criteria on the lists submitted by the SAs of Greece, Ireland, and Portugal, the Board also recommended that the Latvian, Lithuanian, and Slovakian SAs amend their lists to align with this opinion.

Processing data using new/innovative technology

The Board took note of the lists submitted by the Austrian, Belgian, Bulgarian, Dutch, Hungarian, Polish, Romanian, and Swedish SAs, which envisage that a DPIA is required when personal data is processing using innovative technology in conjunction with at least one other criterion.

The list submitted by the SAs of Italy, Latvia, Lithuania, Malta, Portugal, Slovakia, and the U.K., however, consider the use of new or innovative technology on its own to require a DPIA. In its opinions directed at these SAs, the Board stated its belief that the processing of personal data using innovative technology “on its own is not necessarily likely to represent a high risk.” Thus, the Board requested that these SAs amend their references to innovative technology and add that a DPIA is required to be carried out only when innovative technology is used in conjunction with at least one other criterion.

Other types of processing that require a DPIA in conjunction with at least one other criterion

The Board advised the Belgian, Greek, and Portuguese SAs to amend their lists to indicate that “the processing of health data with the aid of an implant” requires a DPIA. The Board also noted, however, that the processing of non-health data with the aid of an implant does not require a DPIA in every instance.

Lastly, the Board considered migration from one system to another to require a DPIA when done in conjunction with at least one other criterion. As the list from Bulgaria’s SA required a DPIA to be carried out for migration from one system to another on its own, the Board advised it to amend its list accordingly.

Types of processing that should not be a criterion to conduct a DPIA

The Board commented on several other types of processing that it believed should not be a criterion for carrying out a DPIA, either alone or with another criterion, but that were on at least one list. These include processing that is conducted through territorially-distributed or cross-border information systems (Bulgaria) and international transfers (Czech Republic and Latvia).

The list submitted by the Austrian and Bulgarian SAs require a DPIA to be conducted when processing occurs under a joint controllership. Stating in its opinion that “joint controllership should not be criterion leading to an obligation to do a DPIA, alone or with another criterion,” the Board advised the Austrian and Bulgarian SAs to remove references to this type of processing from their lists.

The Board also stated that the use of a specific legal basis “should not be a criterion leading to an obligation to do a DPIA, alone or with another criterion.” As the lists submitted by the Italian and Bulgarian SAs both identified a specific legal as requiring a DPIA, the Board requested that they make amendments by “removing the reference to any specific legal basis from the list.”

In addition, the Board noted that processing made in the context of the collection of personal data via interfaces of personal electronic devices, which are not protected against unauthorized readout, either alone or with another criterion, should not lead to an obligation to conduct a DPIA. Since the lists submitted by Germany and Portugal envisioned this type of processing to require a DPIA, the Board requested them to amend their lists by removing the references to this type of processing.

Finally, the lists submitted by the Irish, Maltese, Portuguese, and Slovakian SAs require a DPIA to be carried out for the further processing of personal data. The Board regards the further processing of personal data, either alone or with another criterion, however, as not creating an obligation to conduct a DPIA. It therefore requested these SAs to amend their lists accordingly.

Conclusion

The European Data Protection Board is the newest institution to take up a seat at the table of regulating privacy and data protection. Through its mission to “ensure consistent application in the European Union of the General Data Protection Regulation,” it has provided a set of opinions to the supervisory authorities of 22 member states. These opinions aim to clarify, harmonize, and bring greater consistency to the application of the GDPR.

Each supervisory authority must now communicate to the EDPB whether they intend to amend their list or keep it in its current form and provide an explanation of its decision.

As privacy professionals, regulators, and lawmakers consider the question, “How attainable is the goal of consistent application of the GDPR?,” the responses from the SAs to the opinions issued by the EDPB will serve as some of the earliest indicators of what the answer might be.