Austrian Data Protection Authority issued the "BLACK LIST"
Processing operations subject to the requirement of a data protection impact assessment
Following the "White List", the data protection authority has now also issued the long-awaited "Black List" in form of a binding regulation. This provides greater clarity as to when Data Protection Impact Assessments ("DPIA") are actually to be carried out in practice in Austria. As already in the draft, the regulation does not provide an exhaustive list of processing operations that are subject to the requirement. Rather, the regulation specifies criteria - some of which require further interpretation - which shall make it necessary to carry out a detailed examination.
Art 35 GDPR establishes the requirement for controllers to carry out and continuously update DPIA if the data processing is associated with a "probably high risk" for the data subjects. In practice, however, it is sometimes difficult to assess when such a high risk is to be expected. Art 35 Para 5 GDPR therefore stipulates that the Data Protection Authorities shall provide a list of processing operations ("Black List") which are subject to the requirement of a DPIA in any case. This shall make the vague criteria more tangible for the controllers and processors and at the same time to serve as an aid to interpretation.
After a first draft of the Austrian Data Protection Authority had circulated a few weeks ago, the corresponding regulation of the authority on processing operations for which a data protection impact assessment is to be carried out ("DSFA-V") was published on 9 November 2018. As previously explained by DORDA data protection experts, this is a supplement to the existing Austrian White List, which as opposite exempts certain processing operations from the obligation to carry out a data protection impact assessment since 25 May 2018.
In a nutshell, the recently issued Black List distinguishes between processing operations where a DPIA must already be carried out in the case of one criterion and those where at least two different criteria must apply cumulatively in order to trigger this obligation. However, data processing operations that are already included in the White List are expressly excluded from the requirement of a DPIA. This establishes a meaningful link between the two lists. In practice, both regulations have to be reviewed in parallel when assessing the necessity of a DPIA.
The issued Black List largely corresponds to Data Protection Authority's previously published draft. One welcomed aspect is that the critical comments on the draft by European Data Protection Board - which is also chaired by Dr Jelinek - have been taken into account: For instance, the mere existence of joint controllers as a trigger for an obligation to carry out a DPIA has finally been deleted.
As a result, each of the following criteria for itself triggers the requirement for a DPIA:
- Ratings or classifications (including profiling and forecasting) in case of potential adverse effects;
- Profiling and automated decision making;
- Monitoring, surveillance or control of data subjects, in particular in public areas;
- Data processing using or applying new or advanced technologies or organisational solutions, in particular artificial intelligence or biometric data processing;
- merging and/or comparing data sets resulting from more than one processing operation, where such merging and/or comparing may lead to adverse decisions;
- Data processing in the personal area - even with consent.
With regard to employment relationships, there is a (reasonable) exception for processing operations already authorized by a plant agreement (consent of the works council) or the consent of the staff representatives. This is most likely based on the appreciated consideration that in such cases the involvement of a concrete body who represents data subject's interests and thus ensures control of the measures and sufficient reconciliation of interests. Thus, no further examination is required.
A data protection impact assessment shall also be carried out if at least two of the following criteria are met:
- Large-scale processing of special categories of personal data;
- Large-scale processing of data on criminal convictions and offences;
- Collection of location data as defined in the Telecommunications Act (Telekommunikationsgesetz – TKG);
- Processing of data on persons in need of higher protection (e.g. minors, employees, patients, mentally ill persons and asylum seekers);
- Merging and/or comparing of data sets from several processing operations, provided that they are processed for purposes other than originally intended.
However, it is still unclear what "large-scale" processing means. Recital 91 only provides the well-known negative definition that data processing should not be considered to be on a large scale if the processing concerns patients or clients of an individual physician or lawyer. At the same time, however, it is not possible to deduce when the threshold of large-scale processing is reached.
Both regulations - Black and White List – now provide for greater clarity as to when and under what circumstances a DPIA is required. Nevertheless, in practice, there is still room for interpretation due to the purposes and criteria, some of which are only roughly explained. It will therefore be up to the practical exercise and, above all, the decisions of the national Data Protection Authorities and, in particular, the European Court of Justice, to provide for sharper distinctions in this regard.