Bulgarian Data Protection Authority – the Commission for Personal Data Protection (“the CPDP”) published a new version of the List which contains the types of processing operations requiring prior data protection impact assessment under the provisions of Art. 35, par. 4 of Regulation (EC) 2016/679 (the “List”). The initial version of the List passed a conciliation procedure with the European Data Protection Board (“the EDPB”). Since the latter made recommendations to the CPDP, the wording of most of the personal data processing operations underwent changes.
In its current version, the List contains eight operations which should be taken into account by the data controllers. They have an obligation to conduct an impact assessment if the personal data processing operations they carry out are among the listed. It should also be noted that the List is non-exhaustive and at any time the CPDP may add or remove operations.
Regarding the types of personal data processing operations included in the List, the following can be highlighted:
As per the EDPB’s recommendations, CPDP added additional conditions to some of the operations since without such conditions the operations per se would not lead to risks for the data subjects’ rights. For example, an impact assessment will not be obligatory, if a controller simply processes biometric data. However, it will be an obligation if there are additional conditions in place – the processing of biometric data to be on a large scale, for the purpose of unique identification of an individual and not to be occasional. Accordingly, the CPDP has added an additional condition to the processing of genetic data, namely processing shall be for profiling, which effects legal consequences for data subjects or similarly affects them to a significant extent. Migration of personal data as an operation will also require an impact assessment, but only if there is the additional condition migration to be carried out from existing to new technologies where it involves data processing on a large scale. The CPDP does not provide guidance on what should be understood by the term “new technologies”, so the assessment should be made by the controllers.
The operation referred to in point 4 of the List broaden the application of obligatory impact assessment. Therefore, any controller who processes personal data on a large scale but is unable to provide data subjects with the required information on the processing (as per Art. 13 of GDPR) or provision of this information requires disproportionate large efforts, shall carry out an obligatory impact assessment.
Other processing operations that are included in the CPDP’s List are as follows:
- Processing of personal data by a controller with a place of establishment outside the EU where such a controller has a representative in the EU which is located in the territory of the Republic of Bulgaria;
- Regular and systematic processing where providing data subjects with the information under Art. 19 of GDPR is impossible for the controller or requires disproportionate effort;
- Processing of personal data of children in terms of direct provision of information society services.
Following a recommendation by the EDPB, operations that do not involve risky processing of personal data have been removed from the initial version of CPDP’s List. These removed operations are processing on the grounds of fulfilling a legal obligation; processing by joint controllers; cross-border processing of personal data with information systems (where data is transferred between EU Member States).