Under Article 35/4 of the GDPR: “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.”
List of processing operations which are subject to the requirement for a data protection impact assessment within Slovak Republic (hereinafter “List”)
- further specifies Art. 35 (1) of General Data Protection Regulation;
- has non-exhaustive nature and Art. 35 (1) of General Data Protection Regulation prevails in any case;
- is based on the criteria developed in the WP29 Guidelines WP 2481 and EDPB opinion 21/20182;
- its aim is therefore to create a harmonized approach with regard to processing that is cross border or that can affect the free flow of personal data or natural person across the European Union;
- complements and further specifies the Guidelines WP 248;
- identifies 13 processing operations.
List of processing operations which are always subject to the requirement for a data protection impact assessment are as follows:
1. Processing operations of biometric data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248.
2. Processing operations of genetic data of a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248.
3. Processing of location data together with another criterion mentioned in Guidelines WP 248.
4. Processing operations conducted under Art. 14 of General Data Protection Regulation.
Where the information to be given to the data subject is subject to an exemption under Art. 14 (5) para (b), (c) and (d) of General Data Protection Regulation require data protection impact assessment to be carried out only in conjunction with at least one other criterion mentioned in Guidelines WP 248.
5. Scoring.
The purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject.
6. Credit rating.
The purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data in large scale or systematically.
7. Solvency rating.
The purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data in large scale or systematically.
8. Profiling.
The purpose of data processing is profiling by way of evaluating personal data systematically, especially when it is based on the characteristics of the workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject.
9. Monitoring employee work on the ground of serious reasons based on the particular nature of the employer's activities (hereinafter ”employee monitoring processing”).
Due to its specific nature, employee monitoring processing, meeting the criterion of vulnerable data subject and criterion of systematic monitoring, as two criteria mentioned in Guidelines WP 248, requires data protection impact assessment to be carried out.
10. Personal data is processed for the purposes of scientific or historical research without the consent of the data subject in conjunction with at least one other criterion mentioned in Guidelines WP 248.
11. Personal data processing using new or innovative technologies in conjunction with at least one other criterion mentioned in Guidelines WP 248.
12. Systematic monitoring of public spaces by cameras (in particular cities, municipalities and providers of both urban and suburban public transport).
13. Monitoring of people in the provision of detective services.
Criteria according Guidelines WP 248 that can help to identify when processing operations are subject to the requirement for a data protection impact assessme
- automated-decision making with legal or similar effect,
- systematic monitoring,
- sensitive data or data of a highly personal nature,
- data processed on a large scale,
- matching or combining datasets,
- data concerning vulnerable data subjects,
- innovative use or applying new technological or organisational solutions,
- when the processing in itself prevent data subjects from exercising right or using a service or a contract.
References:
- Guidelines WP 248 rev. 01 on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purpose of Regulation 2016/679 are available here: https://www.dataprotection.gov.sk/uoou/sites/default/files/guidelines_on_data_protection_impact_assessment_dpia_and_determining_whether_processing_is_likely_to_result_in_a_high_risk.pdf
- Opinion 21/2018 Slovakia SAs DPIA List) is available here: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-212018-slovakia-sas-dpia-list_en
Article provided by: Miroslav Chlipala, Stefan Pilar (Bukovinský & Chlipala, s.r.o.)