The Hungarian Authority for Data Protection and Freedom of Information (NAIH) has just released a list of specific data processing operations where data controllers must conduct data protection impact assessments and document the results.
The processing operations listed by NAIH affect numerous industries and technologies. Among others, the following organisations must conduct a data protection impact assessment:
- healthcare and medical sector, and bodies processing biometric and genetic data on a large scale;
- those applying technologies based on location tracking or the monitoring of public areas (e.g. Wi-Fi tracking, operating drones);
- employers who monitor employees (e.g. GPS tracking devices or cameras to prevent theft and fraud, cameras and software monitoring keyboard usage, screenshots, mouse movement and e-mail traffic);
- those offering marketing services (e.g. behavioural marketing, profiling, data collection from multiple sources); or organisations offering services and products, particularly for children.
According to the GDPR, any deficiency or infringement in connection with the data protection impact assessment can make a data controller subject to an administrative fine of up to EUR 10,000,000, or in the case of a business, up to 2% of the total worldwide annual turnover for the preceding financial year.
When are impact assessments mandatory under the GDPR?
Under the GDPR, it is mandatory to conduct data protection impact assessment when operations represent a high risk to the rights and freedoms of individuals by virtue of the nature and scale of data, the large number of individuals affected, the nature of the technology, tools or other circumstances, and the sensitivity of the data processing.
According to the GDPR, this (non-exhaustive) list includes:
- the systematic and extensive evaluation of personal information through automated processing, including profiling, which produces legal effects or similarly affects a person in a significant way;
- processing special categories of data;
- processing personal data relating to criminal convictions and offences on a large scale; or
- systematic monitoring of a publicly accessible area on a large scale.
Detailed NAIH list
The long-awaited list by NAIH supplements the above GDPR short list and provides practical support for the application of GDPR. This list makes it easier for data controllers to decide whether they are required to conduct a data protection impact assessment or not.
NAIH emphasises that its list of processing operations (for mandatory data protection impact assessments) is non-exhaustive. A data controller might still be obliged to conduct impact assessments for other high-risk operations according to the GDPR. If there is any uncertainty, data controllers are urged to consult a privacy professional for advice.
Processing operations where impact assessments are mandatory include:
- Processing biometric data – if it constitutes the systematic monitoring of individuals or the data subjects are considered vulnerable (i.e. children, employees, elderly or persons suffering from mental illness).
- Processing genetic data – if it is linked to special categories of personal data, data requiring enhanced protection, or if the underlying purpose is to evaluate or score an individual.
- Scoring – if it has the objective to assess certain qualities of the individual and the outcome of the scoring has an impact on whether he receives a certain service or quality of service.
- Assessment of creditworthiness – via the systematic assessment of personal data on a large scale.
- Assessment of ability to pay – via systematic assessment of personal data on a large scale.
- Processing data collected from a third party – such as when deciding on rejecting or terminating a service for an individual.
- Processing personal data regarding students for evaluation – if the purpose of the data processing is to record the performance, fitness or mental status of students and this evaluation and data processing is not prescribed by law, regardless the level of education (i.e. basic, secondary or higher).
- Profiling – via the systematic assessment of personal data on a large scale, particularly if it is based on specific work performance, personal finances, health status, personal preferences or interests, reliability or behaviour, and location or movement of the individual.
- Actions against fraud – if the purpose is to filter clients by using credit reference databases or databases collected to prevent money laundering, financing of terrorism or fraud.
- Application of smart meters – for monitoring consumer habits.
- Automated decision-making processes with legal implications or a similar significant effect on individuals – and might lead to their exclusion or discrimination.
- Systematic monitoring of individuals on a large scale – typically using cameras, drones or any other new technology in publicly accessible areas (Wi-Fi tracking, Bluetooth tracking, body cameras).
- Processing location data – if it indicates systematic monitoring or profiling.
- Systematic processing and assessment of personal data on a large scale during monitoring of work performance of an employee – such as placing a GPS in a car or using a camera to prevent theft or fraud.
- Processing special categories of personal data on a large scale – the processing of personal data is not considered large scale if it affects personal data of patients of a specialist or a healthcare professional, or the data of clients of a lawyer.
- Processing personal data on a large scale for law enforcement purposes.
- Processing personal data related to vulnerable individuals for purposes other than why the data were initially collected – such as children, elderly or persons suffering from mental illnesses.
- Processing personal data of children – for profiling, automated decision-making or marketing purposes, or for services directly offered to them or connected with the information society.
- Using new means of technology for processing data – produced by devices with sensors via internet or other channels on a large scale (e.g. smart TVs, smart household devices, smart games), which provide data on an individual's ability to pay, health, interests, reliability or behaviour, location or movement, and serve as a basis for profiling.
- Processing data concerning health – such as for hospitals, medical institutions or private healthcare providers processing personal data on a large scale, and naturopaths who are processing special categories of personal data for a large number of patients. This includes larger sports facilities and gyms processing data concerning the health of their members.
- Creating applications, systems, devices or platforms used by multiple data controllers or a whole sector – in which special categories of personal data are being processed.
- Merging, assessment or comparison of personal data from multiple sources.