The National Supervisory Authority for Personal Data Processing (the “Romanian DPA”) issued the Decision No. 174 on 18 October 2018 regarding the list of processing operations that are subject to the requirement of data protection impact assessment (“DPIA”) (“DPIA Decision”). The DPIA Decision was published after completion of the consistency mechanism with the European Data Protection Board (“EDPB”) as per article 64 of the General Data Protection Regulation (the “GDPR”).
We have briefly analyzed the circumstances that, pursuant to the DPIA Decision, require DPIA (Section A), and further made some considerations regarding other potential circumstances (Section B) before drawing a few conclusions (Section C).
A. Cases that require DPIA according to the DPIA Decision
According to the DPIA Decision, there are 7 (seven) categories of circumstances that require DPIA. Those circumstances refer to [our emphasis]:
(a) processing of personal data in order to carry out a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) large-scale processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or personal data relating to criminal convictions and offenses;
(c) processing of personal data for the purpose of systematic and large-scale monitoring of publicly accessible area, such as video surveillance in shopping centers, stadiums, markets, parks or other such spaces.
The above provisions merely repeat the provisions of the GDPR, i.e. article 35 (3) letters (a) through (c), and, therefore, they are not more specific than that, while one may have expected to see a more precise list of particular circumstances.
The only addition that the Romanian DPA provides is the definition by way of example of what systematic and large-scale monitoring of publicly accessible areas means under letter c).
(d) large-scale processing of personal data of vulnerable persons, especially minors and employees, by automatic means of monitoring and/or systematic recording of people’s behavior, including for advertising, marketing and publicity purposes.
The above case seems to refer to three of the criteria for conducting DPIAs as established by the Article 29 Working Party in its Guidelines on Data Protection Impact Assessment (DPIA) and for determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “DPIA Guidelines”), while the Working Party 29’s recommendation is that, generally, at least two criteria should be met in order for the DPIA to be required. As a result, the DPIA Decision raises the question of whether, for example, large-scale processing of vulnerable persons, even if not by way of automatic means of monitoring or systematic recording, does require DPIA. In light of the DPIA Guidelines, the answer is positive.
(e) large-scale processing of personal data by using innovative or by applying new technological solutions, particularly where such operations limit the ability of data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces;
(f) large-scale processing of personal data generated by sensing devices transmitting data through the Internet or by other means (the "Internet of Things" applications, such as smart TV, connected vehicles, smart metering, intelligent toys, intelligent cities or other such applications).
Same as letter d), letters e) and f) are also based on the large-scale processing criterion; in addition, processing must concern activities or devices that are rather intrusive. The two cases seem to overlap (focusing on the same two criteria); however, they provide useful insight on what the Romanian DPA seems to consider falling under the new technologies concept.
(g) large- scale and/or systematic processing of traffic and/or location data of individuals (such as Wi-Fi monitoring, processing the geo-location of passengers in public transportation or other similar situations), when processing is not necessary in order to provide a service requested by the data subject.
The Romanian DPA seems to place great emphasis on the large-scale criterion, since all new circumstances listed in the DPIA Decision, namely (d) through g), refer to it (alternatively to systematic processing for point (g)). Thereby, the Romanian DPA seems to set a benchmark whereby data controllers are guided to firstly assess whether the processing operations they carry out fall under the large-scale processing criterion or not.
B. Are there any other circumstances that require DPIA?
The DPIA Decision includes a list that is not exhaustive, but only includes examples of circumstances considered by the Romanian DPA as falling under the DPIA obligations. As a result, other processing activities may require DPIA.
Therefore, the DPIA Decision does not exempt data controllers from the effort to further assess the need to conduct the DPIA. From that perspective, the DPIA Guidelines remain a first-hand instrument for data controllers when assessing whether the processing activities they undertake are likely to result in a high risk to the rights and freedoms of natural persons and, as a result, require DPIA.
Pursuant to the DPIA Guidelines, as a general rule, if processing activities involve at least two out of the nine criteria, they fall under the DPIA obligation: (1) evaluation or scoring; (2) automated-decision making with legal or similar significant effect; (3) systematic monitoring; (4) sensitive data or data of a highly personal nature; (5) data processed on a large scale; (6) matching or combining datasets; (7) data concerning vulnerable data subjects; (8) innovative use or application of new technological or organizational solutions; and (9) the processing in itself prevents data subjects from exercising a right or using a service or a contract.
This concurs with the European Data Protection Board’s Opinion no. 19/2018 on the draft list of the competent supervisory authority of Romania regarding the processing operations subject to the requirement of a data protection impact assessment (the “Opinion”), which requires that all national lists clarify that they are not exhaustive and are based on and further complement the DPIA Guidelines.
C. Some conclusions
The DPIA Decision is useful, as it sets an indicative level (quite high, in fact) of the perception of the Romanian DPA in respect of the intensity/ scale of processing activities that require DPIA. It should therefore be a reliable instrument for data controllers to know what to expect in case of data protection-related investigations.
The DPIA Decision also includes by way of example some specific cases that, in the authority’s view, are subject to DPIA, such as processing through facial recognition devices; in that respect, compared to the lists published by other Member States’ authorities, the DPIA Decision seems to touch upon a middle ground; it is not as specific and helpful as the list published by other authorities, such as the French DPA (e.g. for constant monitoring of employees’ activity, the examples include cyber-surveillance devices, such as those used to carry out an analysis of outgoing email flows in order to detect possible information leaks known as “data loss prevention” and video surveillance of employees handling money), nor limited to merely repeating the criteria from the DPIA Guidelines, such as the Irish DPA.
The pre-GDPR practice of the Romanian DPA should not be ignored either. Indeed, there seems to exist quite a relevant overlap between the processing activities for which the Romanian DPA used to require notification in the pre-GDPR era (as resulting from Decision No. 200 of 4 December 2015 setting the processing activities for which notification is not required, such decision being currently repealed) and those for which a DPIA is required under the GDPR.
While the GDPR has been often compared to a revolution due to the novelty of the concepts it sets forward, one may find comfort relying on the past to some extent in order to better prepare for the future.