On 25 September 2018, the European Data Protection Board (EDPB) adopted Opinion 2/2018 on the draft list of the Belgian Data Protection Authority on processing operations for which a data protection impact assessment (DPIA) is required.
Following this opinion, the Belgian Data Protection Authority updated its list of DPIA processing operations.
The Belgian Data Protection Authority points out that the list (FR/NL) in question is not exhaustive and in no way affects the general obligation of the data controller to carry out a proper risk assessment.
In addition to the cases provided for in Article 35 (3) of the GDPR, a DPIA is in the view of the Belgian regulator always required:
- Where the processing involves the use of biometric data for the unique identification of data subjects in a public or private place accessible to the public;
- Where personal data are collected from third parties in order to be subsequently taken into account in the decision to refuse or terminate a specific service contract with a natural person;
- When health data of a data subject are collected automatically using an active implantable medical device;
- When data are collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
- Where special categories of personal data within the meaning of Article 9 of the GDPR or data of a very personal nature (such as data on poverty, unemployment, the involvement of youth services or social work, data on domestic and private activities, location data) are systematically exchanged between several controllers;
- In case of large-scale processing of data generated by devices with sensors that send data via the Internet or other means (applications of the “Internet of Things”, such as intelligent televisions, intelligent household appliances, connected toys, smart cities, intelligent energy meters, etc.) and where this processing is used to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
- Where there is a large-scale and/or systematic processing of telephony, Internet or other communication data, metadata or data relating to the location of natural persons or leading to natural persons (e.g. wifi-tracking or the processing of passenger location data in public transport), where the processing is not strictly necessary for a service requested by the person concerned; and
- When it comes to large-scale processing of personal data where the conduct of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner via automated processing.
The fact that a DPIA is required does not entail that a prior consultation with the Data Protection Authority must also take place. Prior consultation will not be required if the risk can be sufficiently limited by appropriate technical and organisational measures.