On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”). Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:
- are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
- are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.