Apr 52018

Belgian Privacy Commission Issues Guidance on Data Protection Impact Assessments Under the GDPR

Wim Nauwelaerts and Paul Greaves
, , ,

On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”).  Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:

  • are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
  • are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.

The Black list

The Black List published by the Belgium Privacy Commission sets out that a DPIA will always be required:

  • Where the processing involves the use of biometric data to uniquely identify individuals in a public space or in a private space accessible to the public;
  • Where the personal data is collected from a third party in order to make a decision to refuse or to terminate a given services contract with an individual;
  • Where special category of personal data is used for a purpose (or for purposes) other than that for which they were originally collected, except where the processing is based on the data subject’s consent, or where necessary for the controller to meet its legal obligations;
  • Where the processing is carried out using an medical implant and a personal data breach could compromise the physical health of the data subject;
  • In the case of large-scale processing of personal data concerning vulnerable people, particularly children, for a purpose (or for purposes) other than that for which they were originally collected;
  • Where the data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, or location or movements of individuals;
  • Where special categories of personal data or data of a very personal nature (such as data on poverty, unemployment, involvement in children’s services or social services, data about domestic and private activities, or location data) are systematically shared between multiple controllers;
  • In the context of large-scale Internet of Things processing of data (i.e., generated using devices which have sensors and which send data via the internet or other means such as smart televisions, smart kitchen appliances, connected toys, smart cities, smart meters), and the purpose of the processing is to analyse or predict the economic situation, the health, the personal preferences or interests, the reliability or behaviour, or the location or movements of individuals;
  • In the context of large-scale, and/or systematic processing of telephony data, internet data, or other communication data, metadata, location data of natural persons, or data which permits the organisation to find natural persons (such as wifi tracking or location data of those travelling via public transport) where the processing is not strictly necessary for a service requested by the data subject; and
  • In the context of large-scale processing of personal data where the behaviour (for example, viewing habits, listening habits, browsing habits, clicking activity, physical behaviour or shopping habits) of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner using automated processing.

Note that this list may be subject to change.  A final decision as to the content of Black List will be made by the Belgian Data Protection Authority, which will replace the Privacy Commission on the 25 May 2018.

The White List

The White List sets out scenarios where a DPIA is not required. Many of these scenarios are subject to further caveats set out by the recommendation. A DPIA will not be required for the following types of processing:

  • Processing operations carried out by private organisations which are necessary for compliance with a legal obligation to which the organisation is subject, provided that the law sets out the purposes of the processing, the categories of personal data to be processed and provides safeguards to prevent abuse or unlawful access or transfer;
  • Processing for the purposes of the administration of salaries of people who work for or on behalf of the controller;
  • Processing exclusively for the purposes of administration of personnel who work for or on behalf of the controller, where that administration is required by law or regulation, but only to the extent that the processing does not involve health data, special categories of personal data, data concerning criminal convictions or infractions, or data to be used to evaluate data subjects;
  • Processing exclusively for the purposes of the controller’s accountancy practices. The processing must be limited to the data subjects, and the data categories which are necessary for the controller’s accountancy practice;
  • Processing in relation to the administration of shareholders and associates. The processing must be limited to the data subjects, and the data categories which are necessary for that administration;
  • Processing undertaken by a foundation, association or any other non-profit organisation carrying out its day-to-day activities, but only where the data was not obtained from third party databases and where the processing concerns:
    • personal data about its own members;
    • people with whom the controller regularly interacts; and
    • the beneficiaries of the organisation.
  • Processing in relation to the registration of visitors for the purposes of a sign-in or check in procedure; although data must be limited to certain information such as the name and professional address of the visitor and information identifying their vehicle;
  • Processing by educational institutions for the management of their relationship with their own pupils or students (past, present or potential) in the context of their educational duties; and
  • Processing exclusively in relation to the management of an organisation’s clients or suppliers (past or present), as long as the processing does not involve data such as ‘special category personal data’, or data concerning criminal convictions or infractions.
Wim Nauwelaerts

wnauwelaerts@sidley.com

Paul Greaves

pgreaves@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.