French DPA Publishes Updated Data Protection Impact Assessment Guidance
Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale.
The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), had published a draft list of processing operations which require a DPIA to be carried out prior to the processing of personal data. These include: (i) the processing of health data by health establishments, (ii) the processing of genetic data of vulnerable persons, (iii) profiling of employees for HR purposes, (iv) monitoring of employees for HR purposes, (v) processing of personal data in the context of whistleblowing helplines, (vi) various types of profiling, (vii) and the processing of biometric data.
The CNIL’s list was been submitted to the European Data Protection Board (EDPB) for approval. Under Article 64(1) of the GDPR, where a Member State data protection authority (DPA) intends to adopt a list of processing operations which require a DPIA, the DPA must submit the draft list to the EDPB. The EDPB will then issue an opinion on the list, with the aim of ensuring a harmonised approach to data processing across the EU.
In its opinion, published and adopted on 25 September 2018, the EDPB asked the CNIL to explicitly clarify that the list is not exhaustive, and to highlight that the creation of a DPIA list was based on the Article 29 Working Party (the predecessor to the EDPB) guidelines on DPIAs.
Regarding the processing of biometric data listed by the CNIL, the EDPB was of the opinion that processing biometric data, without more factors, likely to represent a “high risk to the rights and freedoms of individuals.” Rather, a DPIA is required to be conducted where biometric data is processed for the purpose of uniquely identifying an individual in conjunction with at least one other criteria. As such, the EDPB required the CNIL to amend their list so that a DPIA is required where biometric data is processed for the purpose of uniquely identifying an individual only when done in conjunction with at least one other triggering criteria, to be applied without prejudice to Article 35(3) of the GDPR.
On the processing of genetic data, the EDPB also considered that the processing of genetic data on its own does not necessarily represent a “high risk to the rights and freedoms of individuals.” The EDPB therefore has asked the CNIL to amend its list so that a DPIA is required where the processing of genetic data is done in conjunction with at least one other criteria, to be applied without prejudice to Article 35(3) of the GDPR.
Notably, the CNIL’s initial list did not contain reference to processing location data. The EDPB asked CNIL to include in its list a reference to the processing of location data, together with another criterion.
The EDPB also requested refinement of references to DPIAs in the event of employee monitoring. Specifically, the EDPB requested the CNIL to add additional criteria where the employee monitoring involves vulnerable data subjects and systematic monitoring of individuals.
In response to the EDPB’s opinion, the CNIL accepted all of the EDPB recommendations and on 6 November 2018 published an updated list.