Skip to content
Guidance · EDPB ·62024-on-the-draft-list-of-the-latvian-sa-on-pro EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 6/2024 on the draft list of the Latvian SA on pro-cessing operations exempt from the data protection impact assessment requirement (Art. 35.5 GDPR)

Summary

Adopted 1 Opinion 6/2024 on the draft list of the Latvian SA on pro- cessing operations exempt from the data protection impact assessment requirement (Art. 35.5 GDPR) Adopted on 16 April 2024 Adopted 2 Adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (2) and Article 35 (1), (5) and (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data…

How it connects

Full text 38 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Opinion 6/2024 on the draft list of the Latvian SA on pro- cessing operations exempt from the data protection impact assessment requirement (Art. 35.5 GDPR) Adopted on 16 April 2024 Adopted

¶2

Adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (2) and Article 35 (1), (5) and (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “ GDPR ”), Having regard to the European Economic Area (hereinafter “ EEA ”) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article 10 and Article 22 of the Rules of Procedure of the European Data Protection Board (hereinafter “ EDPB ” or “ Board ”), Having regard to the Opinion 11/2019, Opinion 12/2019 and Opinion 13/2019 of the EDPB adopted on 10 July 2019, Whereas: (1) The main role of the Board is to ensure the consistent application of the GDPR throughout the EEA. In compliance with Articles 35(6) and 64(2) GDPR, the Board shall issue an opinion where a supervisory authority (hereinafter “ SA ”) intends to adopt a list of processing operations not subject to the requirement for a data protection impact assessment pursuant to Article 35(5) GDPR. The aim of this opinion is therefore to create a harmonised approach with regard to processing that is cross border or that can affect the free flow of personal data or natural person across the EEA. Even though the GDPR does not impose a single list, it does promote consistency. The Board seeks to achieve this objective in its opinions by ensuring that the lists do not contradict the cases where the GDPR explicitly states that a type of processing should undergo a data protection impact assessment (hereinafter “ DPIA ”), by recommending SAs to remove some criteria which, the Board considers not correlated with the absence of likelihood of high risks for data subjects, by recommending them to limit the scope of the types of processing in order not to contradict the general rules defined in the Article 29 Working Party Guidelines on DPIA 2 (hereinafter “ Guidelines on DPIA ”) and finally by recommending them to use some criteria in a harmonised manner. (2) With reference to Article 35(5) and (6) GDPR, the competent SAs may establish lists of the kind of processing operations which are not subject to the requirement for a DPIA. They shall, however, apply the consistency mechanism where such lists involve processing operations, which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union. (3) Under Article 64(2) GDPR, the consistency mechanism may be triggered by an SA, the EDPB Chair or the Commission for any matter of general application or producing effects in more than one Member 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States”. 2 Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP248 rev.01, adopted on 4 April 2017 and revised on 4 October 2017, endorsed by the EDPB. Adopted 4 State. The EDPB shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. (4) While the draft lists of the competent SAs are subject to the consistency mechanism, this does not mean that the lists should be identical. The competent SAs have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB assessment/opinion is not to reach a single EU list but rather to avoid significant inconsistencies that may affect the equivalent protection of the data subjects across the EEA. (5) The carrying out of a DPIA is only mandatory for the controller pursuant to Article 35 (1) GDPR where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The national SAs can issue lists concerning certain processing activities which always require a DPIA (“blacklists”) per Article 35(4) GDPR as well as lists where no DPIA is necessary per Article 35(5) GDPR (“whitelists”). When a processing does not fall within either of these two lists and is not mentioned Article 35(3) GDPR, an ad hoc decision will have to be made by the controller based on whether the “likely to result in a high risk to the rights and freedoms of natural persons” criterion is met. According to Recital 91 GDPR, a DPIA will not be mandatory when the processing is carried out by an individual physician, other health care professional or a lawyer, as it is not of a sufficiently large scale. This exception covers only partially the cases when a DPIA will not be necessary, i.e. when there is no high risk to the rights and freedoms of natural persons. (6) The lists produced by the competent SAs support a common objective, namely to identify the kind of processing operations for which the national SAs are certain that, under no circumstances, they will result in a high risk, and processing operations the national SAs deem unlikely to result in a high risk, and therefore do not require a DPIA. The Board refers to the Guidelines on DPIA, which sets out criteria to consider in determining processing operations “likely to result in a high risk”. As set out in these guidelines, in most cases, a controller can consider that a processing meeting two criteria would require a DPIA to be carried out. However, in some cases, a controller can consider that a processing meeting only one of these criteria requires a DPIA. (7) The opinion of the EDPB shall be adopted pursuant to Article 64 (3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent SA have decided that the file is complete. Upon decision of the EDPB Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: 1 SUMMARY OF FACTS 1 The competent Latvian SA has submitted its draft list to the EDPB. The decision on the completeness of the file was taken on 2 February 2024. 2 The Chair of the EDPB decided to extent the period to adopt the opinion by a further six weeks taking into account the complexity of the subject matter. 2 ASSESSMENT

¶2.1

General reasoning of the EDPB regarding the submitted list Adopted 5

¶3

Any list submitted to the EDPB is interpreted as further specifying on the one hand Article 35 GDPR, which will prevail in any case, and on the other hand recital 91 GDPR. Thus, no list can be exhaustive.

¶4

This opinion does not reflect upon items submitted by the Latvian SA, which were deemed outside the scope of Article 35(6) GDPR. This refers to items that neither relate “to the offering of goods or services to data subjects” in several Member States nor to the monitoring of the behaviour of data subjects in several Member States. Additionally, this refers to items that are not likely to “substantially affect the free movement of personal data within the Union”. However, for the sake of clarity, the Board will enumerate the items of the list, which were deemed outside the scope of Article 35(6) GDPR. Further, any processing operations that relate to law enforcement were deemed out of scope, as they are not in scope of the GDPR.

¶5

This opinion will not comment on any items on the list, which fall within the scope of recital 91 GDPR.

¶6

The opinions on the Article 35(4) GDPR lists also aimed at defining a consistent core of processing operations, which the Board requested all SAs to add to their list if not already present in order to ensure consistency. The Article 35(5) GDPR lists may not exempt these general processing operations as a rule.

¶7

The lists established by SAs pursuant to Article 35(5) GDPR are inherently non-exhaustive. These lists contain types of processing regarding which national SAs are certain that, under no circumstances, they will result in a high risk to the rights and freedom of natural persons, and processing operations the national SAs deem unlikely to result in a high risk. Such lists cannot enumerate all cases in which a DPIA will not be necessary. In any event, the obligation of the controller or processor to assess the risk of the processing and to comply with the other obligations imposed by the GDPR remain applicable.

¶8

When this opinion remains silent on an item from the list, it means that the Board is not asking the Latvian SA take further action.

¶9

Finally, the Board recalls that transparency is key for controllers and processors. In order to clarify the entries in the list, the Board is of the opinion that making an explicit reference in the list to the criteria set out in the Guidelines on DPIA could improve this transparency. 2.2 Application of the consistency mechanism to the draft list

¶10

The draft list submitted by the Latvian SA relates to the offering of goods or services to data subjects, relates to the monitoring of their behaviour in several Member States and/or may substantially affect the free movement of personal data within the Union mainly because the processing operations in the submitted draft list are not limited to data subjects in this country. 2.3 Analysis of the draft list

¶11

In its analysis, the Board takes into account that: • Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons; and • Article 35 (3) GDPR provides a non-exhaustive list of types of processing that require a DPIA.

¶12

As a general remark, the Board is of the opinion that the analysis done in the Guidelines on DPIA is a core element for ensuring consistency across the EEA. Thus, it recommends the Latvian SA to add a statement to the document containing their list that clarifies that their list is based on the Guidelines on DPIA and that it complements and further specifies these guidelines. Adopted 6 2.3.1 Processing in the context of Human Resources

¶13

The draft list includes the processing of personal data “for the implementation of employment legal relationship required in the law, employer’s processing of personal data of employees employed in the territory of the Republic of Latvia, which is carried out only in the territory of the Republic of Latvia, in particular for human resources and accounting purposes, in the field of wage setting, social insurance and health insurance, except if the data processing is related to the processing of sensitive data, including biometric data, evaluation, profiling or systematic monitoring of data subjects; E.g. Company ensures the production of microchips and where required by law processes personal data of 40 employees, such as the employee’s name, personal identity number, address of residence, bank account number, information on trade union membership, health insurance status, information whether the employee has a specific disability.”

¶14

The Board notes that the processing of personal data for the implementation of an employment relationship is a broad item that might involve categories of personal data, the processing of which is likely to pose a high risk to the rights and freedoms of natural persons. The list item proposed by the Latvian SA already includes a number of restrictions that are suitable for restricting the risks for the data subjects. However, with a view to the “consistent core” of processing operations (see paragraph 6 above), the Board recommends that the processing envisaged by the Latvian SA’s list be further restricted by also excluding genetic data. 2.3.2 Processing related to business needs and offering and provision of services, including customer competitions and distribution of newsletters

¶15

The draft list includes the processing of “Customer personal data (…) related to business needs and offering and provision of services, including customer competitions and distribution of newsletters, which are carried out only in the Latvian language and which are carried out only in the territory of the Republic of Latvia, if the main activity of the company cannot be directly or indirectly related to the processing of personal data and, does not carry out systematic monitoring of sensitive data and vulnerable clients or data subjects on a large scale; E.g. Company is engaged in the provision of construction and repair services. In order to provide up-to-date information about its services and special offers, it sends informative e-mails to its subscribers, thus processing the subscriber’s personal data — name, surname, e-mail address.”

¶16

In a communication after the beginning of the Article 64(2) GDPR process, the LV SA has clarified that this item should only cover processing that is not on a large scale, that does not involve scoring, and that is exclusively for the purpose of customer competitions and distribution of newsletters. The EDPB therefore asks the LV SA to reword the item accordingly. 2.3.3 Data processing carried out by an association, foundation, religious organisation or political party

¶17

The draft list includes the item “Data processing carried out by an association, foundation, religious organisation or political party for the management of its members and donors in the framework of its regular activities; Adopted 7 E.g. A political party processes the personal data of donors, such as name, surname, personal identity number, bank account number.”

¶18

The Board notes that the framework of regular activities of associations, foundations, religious organisations or political parties is wide class of activities that could involve processing activities such as scoring, profiling or monitoring, and which might include the processing of personal data of a sensitive nature, including personal data that would fall under the scope of Article 9 GDPR. Therefore, such processing would likely result in a high risk to the rights and freedoms of natural persons.

¶19

The Board therefore recommends that the Latvian SA restrict the scope of the processing to exclude the processing of personal data of a sensitive nature and to remove religious organisations and political parties from the item. 2.3.4 Data processing in relation to the management of multi-apartment residential buildings

¶20

The draft list includes the item “Data processing by the association of apartment owners, the co-operative society of apartments or the community of apartment owners, in relation to the management of multi-apartment residential buildings and related buildings, and land; E.g. Video surveillance in multi-apartment building areas, stairwells, parking places to combat vandalism and the commission of other criminal offences.”

¶21

The Board notes that the processing mentioned in the example could fall under the class of processing for which a DPIA is explicitly required by Article 35(3)(c) GDPR, which requires a DPIA to be carried out for a systematic monitoring of a publicly accessible area on a large scale.

¶22

The Board therefore requests the Latvian SA to restrict the scope of the processing by excluding processing on a large scale. 2.3.5 Processing of data for the management of physical access controls and schedules

¶23

The draft list includes the item “Processing of data for the management of physical access controls and schedules for the calculation of working time, excluding special categories of personal data; E.g. The employer has put in place an access control system at the workplace, providing access to work premises only to authorised persons, using contactless cards and chip readers, thus processing information about the hours worked by the employee on a working day, the time when the employee arrives at work and when he leaves.”

¶24

The Board is of the opinion that the processing activities carried out in the context of managing access controls and work schedules is a broad item that might include processing which is likely to pose a high risk to the rights and freedoms of natural persons. Hence, the Board recommends this item be further restricted to cover only processing of data that does not reveal sensitive data or data of a highly personal nature.

¶25

With respect to access control, the Board recommends restricting the scope of the item to processing activities solely in the context of standard and non-biometric mechanisms aimed at controlling physical access. Adopted 8

¶26

Further, the Board recommends clarifying in the item that, with respect to work schedules, only processing activities with the sole purpose of calculating working times are covered. 2.3.6 Processing of data in connection with checks of alcohol or narcotic substances within the framework of transport activities

¶27

The draft list includes the item “Processing of data in connection with checks of alcohol or narcotic substances within the framework of transport activities arising from legal requirements in the law in order to verify that the driver is not under the influence of alcohol or narcotic substances (also applies to cases where the breathalyzer checks are carried out for employees driving vehicles which are not subject to road traffic regulations, such as specially equipped vehicles for the carriage of goods at the employer’s premises); E.g. The employer performs a breathalyzer test on the alcohol concentration in the exhalation of the bus driver before the shift starts.”

¶28

The Board notes that the processing relating to breathalyzer tests is broad and may involve processing which is likely to pose a high risk to the rights and freedoms of natural persons. For this reason, the Board recommends that this item be further restricted to cases where processing of such data is mandatory by law, and that the purpose of the use of the test data is restricted to the sole purpose of preventing drivers from operating vehicles while under the influence of alcohol or narcotics. 2.3.7 Processing similar to a processing for which a DPIA has already been carried out

¶29

The draft list includes the item “The type, scope, context and purposes of data processing are very similar to data processing for which a DPIA has already been carried out. E.g. The railway operator (one controller) could cover video surveillance at all railway stations with one DPIA.”

¶30

The Board is of the opinion that two different sets of processing of personal data may present different levels of risk to the rights and freedoms of natural persons even if they have very similar type, scope, context and purposes.

¶31

Furthermore, the Board is of the opinion that even if two sets of processing have very similar type, scope, context and purposes, the specific circumstances of each processing could result in a situation where certain safeguards, security measures and mechanisms that are suitable for ensuring the protection of personal data in one processing might not provide the same level of protection in the other.

¶32

The Board therefore recommends that this item be removed from the Latvian SA’s list. 2.3.8 List items considered out of scope of Article 35(6) GDPR

¶33

The Board is of the view that the following item on the list falls outside the scope of Article 35(6) GDPR: • Processing of data in relation to collective submissions laid down in the Local Government Law; E.g. Residents of Riga municipality submit a collective submission in accordance with the procedures laid down by law. The local government, when examining the application, processes personal data of the submitters, including given name, surname, personal identity number. Adopted 9

¶34

Therefore, the Board does not have any comments or recommendations on this item. 3 CONCLUSIONS / RECOMMENDATIONS

¶35

The Board considers that the draft list of Latvian SA may lead to an inconsistent application of Article 35 GDPR and recommends that the following changes be made: 1 Regarding the reference to Guidelines on DPIA: the Board recommends the Latvian SA to amend its document accordingly. 2 Regarding processing in the context of Human Resources: the Board recommends that the Latvian SA restrict the scope of the item by excluding genetic data. 3 Regarding processing related to business needs and offering and provision of services, including customer competitions and distribution of newsletters: the Board recommends that the Latvian SA modify the item to only cover processing that is not on a large scale, that does not involve scoring, and that is exclusively for the purpose of customer competitions and distribution of newsletters. 4 Regarding processing carried out by an association, foundation, religious organisation or political party: the Board recommends that the Latvian SA restrict the scope of the processing to exclude the processing of personal data of a sensitive nature and to remove religious organisations and political parties from the item. 5 Regarding processing in relation to the management of multi-apartment residential buildings: the Board recommends that the Latvian SA restrict the scope of the processing by excluding processing on a large scale. 6 Regarding processing of data for the management of physical access controls and schedules: the Board recommends this item be restricted to cover only processing of data that does not reveal sensitive data or data of a highly personal nature. With respect to access control, the Board recommends restricting the scope of the item to processing activities solely in the context of standard and non-biometric mechanisms aimed at controlling physical access. Further, the Board recommends clarifying in the item that, with respect to work schedules, only processing activities with the sole purpose of calculating working times are covered. 7 Regarding processing of data in connection with checks of alcohol or narcotic substances: the Board recommends that this item be further restricted to cases where processing of such data is mandatory by law and that the purpose of the use of the test data is restricted to the sole purpose of preventing drivers from operating vehicles while under the influence of alcohol or narcotics. 8 Regarding processing similar to a processing for which a DPIA has already been carried out: the Board recommends that the Latvian SA remove this item from the list. 9 Regarding the significance of items listed: the Board encourages the Latvian SA to clarify that its list is without prejudice to any other obligation stipulated by the GDPR. Adopted 10 4 FINAL REMARKS

¶36

This opinion is addressed to the Latvian SA and will be made public pursuant to Article 64 (5) (b) GDPR.

¶37

According to Article 64 (7) and (8) GDPR, the Latvian SA shall communicate to the Chair of the EDPB by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 38. The Latvian SA shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism, in accordance with Article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Anu Talus)

Similar Content