Belgian Privacy Commission Issues Guidance on Data Protection Impact Assessments Under the GDPR

On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”).  Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:

  • are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
  • are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.

The Black list

The Black List published by the Belgium Privacy Commission sets out that a DPIA will always be required:

  • Where the processing involves the use of biometric data to uniquely identify individuals in a public space or in a private space accessible to the public;
  • Where the personal data is collected from a third party in order to make a decision to refuse or to terminate a given services contract with an individual;
  • Where special category of personal data is used for a purpose (or for purposes) other than that for which they were originally collected, except where the processing is based on the data subject’s consent, or where necessary for the controller to meet its legal obligations;
  • Where the processing is carried out using an medical implant and a personal data breach could compromise the physical health of the data subject;
  • In the case of large-scale processing of personal data concerning vulnerable people, particularly children, for a purpose (or for purposes) other than that for which they were originally collected;
  • Where the data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, or location or movements of individuals;
  • Where special categories of personal data or data of a very personal nature (such as data on poverty, unemployment, involvement in children’s services or social services, data about domestic and private activities, or location data) are systematically shared between multiple controllers;
  • In the context of large-scale Internet of Things processing of data (i.e., generated using devices which have sensors and which send data via the internet or other means such as smart televisions, smart kitchen appliances, connected toys, smart cities, smart meters), and the purpose of the processing is to analyse or predict the economic situation, the health, the personal preferences or interests, the reliability or behaviour, or the location or movements of individuals;
  • In the context of large-scale, and/or systematic processing of telephony data, internet data, or other communication data, metadata, location data of natural persons, or data which permits the organisation to find natural persons (such as wifi tracking or location data of those travelling via public transport) where the processing is not strictly necessary for a service requested by the data subject; and
  • In the context of large-scale processing of personal data where the behaviour (for example, viewing habits, listening habits, browsing habits, clicking activity, physical behaviour or shopping habits) of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner using automated processing.

Note that this list may be subject to change.  A final decision as to the content of Black List will be made by the Belgian Data Protection Authority, which will replace the Privacy Commission on the 25 May 2018.

The White List

The White List sets out scenarios where a DPIA is not required. Many of these scenarios are subject to further caveats set out by the recommendation. A DPIA will not be required for the following types of processing:

  • Processing operations carried out by private organisations which are necessary for compliance with a legal obligation to which the organisation is subject, provided that the law sets out the purposes of the processing, the categories of personal data to be processed and provides safeguards to prevent abuse or unlawful access or transfer;
  • Processing for the purposes of the administration of salaries of people who work for or on behalf of the controller;
  • Processing exclusively for the purposes of administration of personnel who work for or on behalf of the controller, where that administration is required by law or regulation, but only to the extent that the processing does not involve health data, special categories of personal data, data concerning criminal convictions or infractions, or data to be used to evaluate data subjects;
  • Processing exclusively for the purposes of the controller’s accountancy practices. The processing must be limited to the data subjects, and the data categories which are necessary for the controller’s accountancy practice;
  • Processing in relation to the administration of shareholders and associates. The processing must be limited to the data subjects, and the data categories which are necessary for that administration;
  • Processing undertaken by a foundation, association or any other non-profit organisation carrying out its day-to-day activities, but only where the data was not obtained from third party databases and where the processing concerns:
    • personal data about its own members;
    • people with whom the controller regularly interacts; and
    • the beneficiaries of the organisation.
  • Processing in relation to the registration of visitors for the purposes of a sign-in or check in procedure; although data must be limited to certain information such as the name and professional address of the visitor and information identifying their vehicle;
  • Processing by educational institutions for the management of their relationship with their own pupils or students (past, present or potential) in the context of their educational duties; and
  • Processing exclusively in relation to the management of an organisation’s clients or suppliers (past or present), as long as the processing does not involve data such as ‘special category personal data’, or data concerning criminal convictions or infractions.