Recently, UODO – the Polish data protection authority – announced a modified list of the types of personal data processing operations that require a data protection impact assessment (List)*.

What is the data protection impact assessment?

The data protection impact assessment (DPIA) is one of the tools used by controllers to demonstrate compliance with the GDPR. It is aimed at assessing the impact of the planned processing operations which - based on a preliminary assessment - are likely to result in a high risk to the rights and freedoms of natural persons and at undertaking remedies to eliminate such risk.

Why has the List been modified?

The obligation to publish the List is imposed on the national supervisory authorities under the GDPR. UODO published the List for the first time in August 2018, however, it was obliged to modify it by the European Data Protection Board (EDPB) to, among other things, ensure consistency in the application of GDPR in the Member States.

What’s new?

In accordance with the recommendations of the EDPB that refer to the guidelines of the Article 29 Working Party concerning the data protection impact assessment:

  • the processing of biometric data for identification or access control purposes, e.g. access control to certain premises or obtaining access to an IT system account has been identified as a separate criterion;

  • a new criterion has been identified concerning the processing of location data, e.g. tracking the location of application users or employees;

  • the processing of genetic data, e.g. as part of performing DNA or medical tests, has also been identified as a separate criterion.

At present in UODO’s view profiling social media or application users for the purposes of sending marketing information to them may also require a data protection impact assessment even if such information was sent upon the recipient's consent (it is not spam).

Polish specificity

Business entities that carry out international activity should also take note of the examples of processing operations that are not included in the guidelines of the Article 29 Working Party (but were included in the first List). For example, data processing as part of whistleblowing systems which are often used by international corporations may require carrying out a DPIA in Poland. Similarly, a data protection impact assessment may be required in Poland for using innovative technology in interactive toys or carrying out telemedical consultations with non-EU facilities or transferring medical data at the international level.

How to use the List?

In certain situations the performance of a DPIA is mandatory and the List is to help the controller to establish such situations.

A data protection impact assessment is generally required if the given type of processing meets at least two criteria specified in the List. An example would be monitoring employees’ working time and the information flow in the tools used by them (Internet, email). The more criteria are met the more likely the necessity of carrying out a DPIA will be.

This, however, does not rule out that a given processing operation may require carrying out a data protection impact assessment upon meeting only one criterion. This is due to the fact that the List is illustrative and not exhaustive, and does not release the controllers from liability for taking a decision on whether or not to perform a DPIA. A controller that plans to commence a new type of processing, e.g. upon implementing a new product or service, should each time take into account the potential risks for the persons whose data is processed and consider the legitimacy of performing the data protection impact assessment.