The Decision no. 174/2018 of the National Supervisory Authority for Personal Data Processing (ANSPDCP) for establishing the list of the processing operations for which it is mandatory to perform the Data Privacy impact Assessment (DPIA) (Decision) was published in the Official Gazette on 31 October 2018.

According to the Decision, the DPIA is required especially in the following cases:

  1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  2. Processing on a large scale of personal data which regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or of personal data relating to criminal convictions and offences
  3. A systematic monitoring of a publicly accessible area on a large scale, such as the video surveillance of public areas as shopping centers, stadium, parks and other similar spaces
  4. Processing on a large scale of personal data pertaining to vulnerable natural persons, especially to minors or employees, based on means of automated monitoring and/ or systematic recording of their behavior, including carrying out activities involving commercials, marketing and advertising
  5. Processing on a large scale of personal data through the innovative use or the implementation of new technology, particularly where those operations limit the ability of data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces
  6. Processing on a large scale of personal data generated by devices with sensors which send data over the Internet or by other means ("Internet of Things" applications such as Smart TVs, connected vehicles, smart meters, smart toys, smart cities or other such applications)
  7. Large scale and/ or systematic processing traffic data and/ or geolocation data of the data subjects (such as Wi-Fi monitoring, geolocating passengers in public transportation or other similar cases) when the processing is not necessary for the performance the services requested by the data subject

Additionally, the Decision provides that the data controllers are exempted to perform this assessment in the cases where the data processing is necessary (i) for compliance with a legal obligation to which the controller is subject or (ii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, when the DPIA was already performed as part of the general impact evaluation during the law adoption process.

Please note that the list is not exhaustive and therefore these cases should only be regarded as examples. To this end, for the identification of other cases when a DPIA is mandatory, the data controllers should refer to the W29 Guidelines WP248 on DPIA and determining whether processing is “likely to result in a high risk”.

The Decision entered into force and is effective immediately as of its publication in the Official Gazette.