Short Reads

Countdown 8 weeks until GDPR : Will organizations be required to undertake Privacy Impact Assessments when conducting personal data processing?

Stibbe - Will organizations be required to undertake DPIA?

Countdown 8 weeks until GDPR : Will organizations be required to undertake Privacy Impact Assessments when conducting personal data processing?

29.03.2018 EU law

Only 8 more weeks to go before the GDPR becomes fully effective. Preparing your company for the application of this new regulation requires a correct understanding of its principles. Each week, we highlight one particular misconception regarding the interpretation of the GDPR.

Will organizations be required to undertake Privacy Impact Assessments when conducting any kind of personal data processing?

Privacy Impact Assessments or Data Protection Impact Assessments (“DPIA”) are only required in the exceptional situation in which the processing is likely to result in a high risk to the rights and freedoms of natural persons. Whether the processing entails such a high risk will depend on the presence of one or more of the following factors: automated decision-making, evaluation or scoring, systematic monitoring, sensitive data, scale of processing, vulnerable data subjects, data transfers outside the EU, etc. In particular, a DPIA will be required if the processing entails: (i) any systematic and extensive evaluation of personal aspects of natural persons based on automated processing or profiling upon which decisions are based; (ii) processing of so-called “sensitive” categories of personal data on a large scale; or (iii) a systematic monitoring of a publicly accessible area on a large scale. National supervisory authorities are moreover required to establish a list of the types of processing operations that require a DPIA, which is what Belgium has already done, for example.

Conversely, a DPIA is not required if the processing is not likely to result in a high risk. Moreover, other scenarios in which a DPIA is not required are (i) if a DPIA has already been carried out for very similar processing activities or (ii) if the processing has a legal basis under EU law or Member State law and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis. National supervisory authorities may also draw up a list of the kinds of processing operations for which no DPIA is required.

Furthermore, the Article 29 Working Party has clarified in the meantime that DPIAs are only required for processing operations that have been initiated after the GPDR applies effectively on 25 May 2018 or that change significantly after that date. In addition, it is recommended, thus not mandatory, to also carry out DPIAs for processing operations already underway prior to May 2018 if there is a change to the risk represented by the processing operation or if the organizational or societal context of the processing activity has changed.

 

Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.

Team

Related news

04.03.2021 BE law
Webinar: Responding to Personal Data Breaches in the Post-GDPR era

Seminar - On 24-26 March 2021 ERA (Adademy of European Law) organises an online Conference "Responding to Personal Data Breaches in the Post-GDPR era". Erik Valgaeren, our Brussels TMT partner, addresses the topic "Managing personal data breach in a complex international scenario", including cross border cases in the EU and breaches at non-EU establishments.

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans, Fenneke Buskermolen en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more