According to Article 35(4) of the GDPR, national authorities shall establish and make public a list of the types of processing operations which are subject to the requirement for a Data Protection Impact Assessment. The Spanish DPA has recently published the relevant list, which may have observed the recommendations established in the mandatory Opinion 6/2019 of the European Data Protection Board under Article 64(1)(a).
The General Data Protection Regulation (GDPR, hereinafter) has introduced the concept of data protection impact assessment in Article 35, where it is stated that a DPIA shall be carried out when a processing is likely to result in a high risk to the rights and freedoms of natural persons. The WP29 (currently the European Data Protection Board – EDPB) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the Guidelines WP248) have further developed this concept, as the GDPR does not formally define the concept as such. In plain words, a DPIA is a common process for building and demonstrating compliance with the GDPR.
If it is concluded that a certain processing is likely to result in a high risk, carrying out a DPIA would be deemed necessary to ensure the rights and freedoms of natural persons. But the adoption of such processes within the company’s internal processes might be interesting as well for the data controllers themselves as it helps to raise awareness of the relevance of privacy matters within big organisations. In this sense, setting up an obligation to data controllers to assess –among other aspects– whether the data intended for processing is really necessary for a specific purpose would contribute to realising the accountability or data minimisation principles under the GDPR.
In order to provide legal certainty on the matter, Article 35(4) of the GDPR sets an obligation for national supervisory authorities to establish and make public a list of the kind of processing activities which are subject to the requirement for a DPIA. Moreover, the relevant lists should observe the aforementioned Guidelines WP248 on DPIAs, as these guidelines would seek the development of a common EU list of processing activities for which a DPIA is mandatory.
Prior to publishing such lists, any supervisory authority should submit a draft list to the EDPB, who would later have to issue an opinion under Article 64(1)(a) of the GDPR. Said opinion would serve to assure and encourage a consistent application of the GDPR throughout the European Economic Area. It is important to note that while the Guidelines WP248 would pursue the development of a common EU list in this regard, these opinions should avoid significant inconsistencies that may hamper an even level of protection of the data subjects across the EU. In this sense, the Spanish supervisory authority had submitted a draft list to the EDPB, and hence Opinion 6/2019 was issued.
Opinion 6/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations subject to the requirement of a DPIA concluded that such list may lead to an inconsistent application of the requirements for a DPIA. In particular, the Board requests the Spanish DPA to explicitly add the processing of biometric data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion of the list. Likewise, the Board also requests the Spanish DPA to explicitly add to the list the processing of genetic data, again in conjunction with at least one other criterion of the list.
Even though biometric and genetic data are considered as special categories of data under Article 9(1) of the GDPR, the draft list of the Spanish DPA did not determine that the processing of such data would require a DPIA. This first approach by the Spanish DPA of not including the processing of genetic and biometric data for as eligible for a DPIA may be seen as surprising if one considers the protection of data subjects in relation to this under the current Spanish Data Protection Act (Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights). The Spanish Data Protection Act did not take advantage of the leeway left by the GDPR as to requiring that the processing of certain special categories of data may not only be done on the basis of the mere consent, and left the processing of biometric and genetic data possible by just obtaining the data subject’s consent (the new Spanish Data Protection Act requires another legal basis besides consent for any data processing that has the purpose of identifying the ideology, trade union membership, religious or any kind of belief, sexual orientation, racial and ethnic origin). The “extra” protection of requiring a DPIA for the processing of genetic data, or biometric data for the purpose of uniquely identifying a natural person, seems all the more advisable, as it was later noticed by the EDPB in Opinion 6/2019.
In any event, it is useful to note that the Spanish DPA had already stated in a non-binding document that processing facial and fingerprint biometric data may be considered a lawful measure of control in the labour field as it should prevail over employees’ rights.
The final list of the Spanish DPA has recently been made publicly available amending the draft list that was submitted to the EDPB in order to implement the recommendations of Opinion 6/2019. The list of data processing for which a DPIA is mandatory that has submitted the Spanish supervisory authority is currently available in the Spanish DPA’s website both in English and Spanish. Said list includes a total of eleven types of data processing that require a DPIA, based on the criteria of Article 35 of the GDPR and the aforementioned Guidelines WP248. It is interesting to note that in order to ascertain whether a data controller is in front of some of the categories of data whose processing will require carrying out a DPIA previously, an analysis really similar to that of the DPIA should be done in order to ascertain the necessity to carry out an actual DPIA. Examples of this would be the processing of personal data that require the use of “new technologies” or the processing of vulnerable individuals or in social exclusion.
According to the Spanish DPA, where a processing meets two or more of the established criteria, a DPIA shall be carried out, unless the processing falls within the list of processing that does not require a DPIA under article 35(5) of the GDPR. The more criteria that the relevant processing meets, the greater the risk that the processing entails, and hence it is more likely that it requires a DPIA. It is interesting to note that the Spanish DPA applies the same approach of requiring two or more cumulative criteria of the list, similarly to what the Article 29 Working Party established in its Guidelines WP248 in relation to a given set of items that should be taken into account by national DPAs when drafting the list required by Article 35(4) of the GDPR. Therefore, it is seemingly left to data controllers the decision to carry out a DPIA when only one of the criteria from the list is met by the intended processing of personal data.
In conclusion, the final list of processing that may require a DPIA according to the Spanish DPA is now publicly available. It is observed that the list has amended the draft version according to the EDPB recommendations and it now serves to the realisation of a consistent application of the requirement for a DPIA throughout the EU. Although we should remind that this is a non-exhaustive list, this would provide legal certainty on the cases in which a processing is likely to result in a high risk and require a DPIA.