Belgian Privacy Commission issues draft recommendation on DPIAs
- 17/02/2017
- Articles
The Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer / Commission de la protection de la vie privée) (the Privacy Commission) has recently published its draft recommendation regarding data protection impact assessments (DPIAs). Stakeholders are invited to submit their comments on the draft recommendation by the end of February 2017.
The EU General Data Protection Regulation (the GDPR) lays down several new obligations for data controllers, including the obligation to carry out a DPIA before carrying out certain data processing activities. The objective of DPIAs is to assess the risks associated with the rights and freedoms of natural persons that arise or threaten to arise in connection with the processing of personal data and to assess the possibilities for mitigating or managing these risks.
The Privacy Commission's recommendation seeks to provide guidance on how to comply with this new obligation and to provide answers to practical questions raised by DPIAs. In particular, the recommendation specifies: (i) the essential elements of a DPIA; (ii) the circumstances under which DPIAs are required; and (iii) the actors who should be involved in a DPIA.
1. ESSENTIAL ELEMENTS OF A DPIA
Article 35(7) of the GDPR provides that a DPIA shall contain at least:
(i) A systematic description of the envisaged processing operations and the purposes of the processing;
(ii) An assessment of the necessity and proportionality of the processing;
(iii) An assessment of the risks to the rights and freedoms of data subjects; and
(iv) The measures envisaged to address the risks.
First, to be compliant with Article 35(7) of the GDPR, the recommendation explains that the purposes as well as the processing (including its means) have to be described in a complete, coherent and clear way. According to the Privacy Commission, this description has to be drafted in the light of Article 30 of the GDPR which obliges controllers and processors to keep a record of their processing activities and lists the elements that should be recorded.
Second, the DPIA should assess the necessity and proportionality of the processing activity by specifying: (i) why the processing of personal data is necessary; and (ii) the reasons for which each processing activity is necessary to fulfil its purpose. If the purpose of the processing activity can be achieved through various means, the Privacy Commission requires data controllers to choose the least privacy-intrusive option. Moreover, the effectiveness of the processing has to be assessed.
Third, the DPIA has to assess the risks to the rights and freedoms of data subjects. These rights and freedoms mainly concern the right to privacy, freedom of expression, freedom of religion as well as the prohibition of discrimination. In its draft recommendation, the Privacy Commission defines risk as “the probability that a threat would arise and would create a specific impact”, a definition which it has borrowed from the International Standards Office (Guide 73:2009).
This definition does not provide a very clear picture of the risks that are taken into account, and the Privacy Commission refers to the specific circumstances in which processing operations could create a risk mentioned in recital 75 of the GDPR. These include, in particular, processing which may give rise to discrimination, identity theft or fraud, financial loss or damage to one’s reputation. Other relevant risks include situations where the processing involves sensitive personal data or data about children and processing involving a large amount of personal data and affecting a large number of data subjects. The DPIA should assess the risks inherent in the processing, as well as any residual risks that may remain after the risk-mitigating measures have been applied.
The recommendation further notes that the DPIA should describe the methodology used to assess the risks.
Fourth, after having analysed the risks, the DPIA should assess the measures envisaged to address the risks including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
2. CIRCUMSTANCES UNDER WHICH DPIAS ARE REQUIRED
Pursuant to Article 35 of the GDPR, a DPIA is only required when the processing could create high risks to the rights and freedoms of data subjects. According to the Privacy Commission, a high-risk processing has to be understood as a processing activity which “in the absence of adequate safeguards, is likely to have significant adverse consequences for the rights and freedoms of natural persons”.
Article 35(3) of the GDPR enumerates three situations in which a DPIA is always required, namely in case of : (i) profiling; (ii) processing on a large scale of sensitive data; and (iii) systematic monitoring of a publicly accessible area on a large scale. Recital 91 of the GDPR specifies that a DPIA should not be mandatory if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.
In accordance with Article 35 (4) and (5) of the GDPR, the Privacy Commission proposes both a white list of processing activities for which no DPIA is needed (Annex 3 of the draft recommendation) and a black list of processing activities that always require a DPIA (Annex 2 of the draft recommendation). In addition to the processing activities for which the GDPR requires a mandatory DPIA, the draft black list also includes other types of processing activities, such as:
(i) processing using biometric or genetic data;
(ii) obtaining personal data from third parties to determine whether to refuse or annul a service to a data subject;
(iii) processing aimed at evaluating the financial solvency of the data subject;
(iv) processing that could compromise the physical health of the data subjects in case of a data breach;
(v) processing financial or sensitive data for secondary purposes;
(vi) evaluating personal aspects about work performance, economic situation, health, location, interests, etc.;
(vii) large scale profiling activities; and
(viii) processing of data relating to a large number of data subjects that are publicly disclosed.
The Privacy Commission furthermore reiterates that processing operations where the residual risk after the DPIA remains high and cannot be mitigated, must be notified to it. The Privacy Commission will then assess whether the proposed processing complies with the GDPR. Unfortunately, the draft recommendation does not give any examples of situations which may be submitted to the Privacy Commission and still be found to be in compliance with the GDPR. This may discourage controllers from notifying processing operations involving high residual risks to the Privacy Commission.
3. ACTORS INVOLVED IN THE DPIA
As per Article 35 (1) of the GDPR, the responsibility of conducting a DPIA lies with the data controller. However, according to the Privacy Commission, the people best placed within a company to contribute to a quality risk assessment should be involved in a timely manner in the risk identification, assessment and management process. The Privacy Commission also recommends that the highest authority within the organisation of the controller should be sufficiently involved in the risk assessment process. It also suggests that the implementation of the measures recommended in the DPIA could be submitted for approval to the board of directors.
The draft recommendation further notes that data processors should, depending on the nature of the processing and the information at their disposal, assist the controller in carrying out the DPIA.
Finally, where a data protection officer has been designated within a company, the controller shall seek its advice when carrying out a DPIA.
The Privacy Commission’s recommendation has been published in draft form and stakeholders have been invited to submit their comments to the Privacy Commission by 28 February 2017.
The Article 29 Working Party will also publish a recommendation regarding DPIAs in the coming months whose elements will be integrated into the final version of the Privacy Commission's recommendation.
The draft recommendation can be found in French (here) and in Dutch (here).