The DPA's list shall not be considered as exhaustive, in that a processing activity may require a DPIA even if the activity is not listed. However, if the activity falls within the description in the list, the controller has an obligation to carry out a DPIA before the processing activity is started.
Under the WP 29 Guidelines, a processing activity will normally be subject to a DPIA if the activity combines two or more of the following criteria: Evaluation or scoring, automated decision-making with legal or similar significant effect, systematic monitoring, sensitive data or data of a highly personal nature, data processed on a large scale, matching or combining datasets, data concerning vulnerable data subjects, and innovative use or applying new technological or organisational solutions.
The Norwegian DPA has identified a number of cases where two or more of these criteria are combined, and which will therefore always require a DPIA under Norwegian law:
- Collecting and combining data from third party sources for the purpose of deciding whether the data subject will be offered a certain service: An example here would be collection of data from the data subject's social media profile for the purpose of deciding whether the data subject will be offered a job or an insurance policy.
- Processing of biometric data for identification purposes on a large scale: An example would be processing of fingerprints or iris scans for the purpose of airport check-ins
- Processing of genetic data on a large scale: For example gene sequencing
- Processing of personal data using innovative technology in conjunction with another criterion, for example processing of sensitive data. Processing of personal data for use with health tech devises would be a relevant example.
- Processing of personal data involving measures for systematic monitoring of employee activity: Monitoring of employees using camera surveillance or monitoring of employee's Internet activities would be a relevant example here.
- Processing of personal data without consent for historical purpose in connection with another criterion: Medical research on existing patient data without obtaining a new consent from each patient would be an example of processing which will always require a DPIA.
- Processing of location data in connection with one other criterion: For example, processing of location or traffic data generated through the use of a mobile phone, which is carried out in a systematic manner, would fall within the scope of this provision.
- Processing of personal data for the purpose of evaluating learning or social environment in schools or kindergartens – this will require a DPIA.
- Systematic monitoring on a large scale in areas accessible by the public: For example, camera surveillance in a public area in the town centre.
- Camera surveillance in schools or kindergartens during opening hours
- Processing of sensitive or highly personal data on a large scale for training of algorithms
- Processing of personal data to systematically monitor proficiency, skills, scores, mental health or development
- Processing of personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behaviour, location or route: An example would be the use of scoring software for the purpose of evaluating different applicants in connection with an employment process.
- Collection of personal data through the use of "internet of things" solutions or welfare technology solutions.
Presumably, even though the examples described above apply under Norwegian national law, they will also be relevant when applying the GDPR rules and the national requirements for DPIAs in other EU/EEA countries.
The Norwegian DPA's document is available in English on the DPA's web site: https://www.datatilsynet.no/globalassets/global/regelverk/veiledere/dpia-veileder/dpialist280119.pdf
Article provided by: Øystein Flagstad, advokatfirmaet GjessingReimers AS
