Opinion 10/2019 on the draft list of the competent supervisory authority of Cyprus regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35(4) GDPR)
A dopted 1 Opinion 10/2019 on the draft list of the competent supervisory authorit y of Cyprus regarding the processing operation s subject to the requirement of a data protection impact assessment (Article 35(4) GDPR) Adopted on 9 July 2019 A dopted 2 A dopted 3 The European Data Protection Board Having r egard to Article 63, Article 64 (1 )(a), (3) - (8) and Article 35 (1), (3), (4), (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the…
How it connects
Related across sources
Full text
A dopted 1 Opinion 10/2019 on the draft list of the competent supervisory authorit y of Cyprus regarding the processing operation s subject to the requirement of a data protection impact assessment (Article 35(4) GDPR) Adopted on 9 July 2019 A dopted 2 A dopted 3 The European Data Protection Board Having r egard to Article 63, Article 64 (1 )(a), (3) - (8) and Article 35 (1), (3), (4), (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, as revised on 23 November 2018, Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2 016/679 ( hereinafter GDPR) throughout the European Economic Area. In compliance with Article 64.1 GDPR, the Board shall issue an opinion where a supervisory authority (SA) intends to adopt a list of processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) GDPR. The aim of this opinion is therefore to create a harmoni s ed approach with regard to processing that is cross border or that can affect the free flow of personal data or natural person across the European Union. Even though the GDPR doesn’t impose a single list, it does promote consistency. The Board seeks to achieve this objective in its opinions firstly by requesting SAs to include some types of processing in their lists, secondly by requesting them to remove some criteria which the Board doesn’t consider as necessarily creating high risks for data subjects, and finally by requesting them to use some criteria in a har monized manner. ( 2) With reference to Article 35 (4) and (6) GDPR, the competent supervisory authorities shall establish lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment (hereinafter “DP IA”). They shall, however, apply the consistency mechanism where such lists involve processing operations, which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may subs tantially affect the free movement of personal data within the Union. (3) While the draft lists of the competent supervisory authorities are subject to the consistency mechanism, this does not mean that the lists should be identical. The competent supervi sory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB assessment/opinion is not to reach a single EU list but rather to avoid significant incon sistencies that may affect the equivalent protection of the data subjects. A dopted 4 (4) The carrying out of a DPIA is only mandatory for the co ntroller pursuant to Article 35 (1) GDPR where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. Article 35 (3) GDPR illustrates what is likely to result in a high risk. This is a non - exhaustive list. The Working Party 29 in the Guidelines on data protection impact assessment 1 , as endorsed by the EDPB 2 , has clarified criteria that c an help to identify when processing operations are subject to the requirement for a DPIA. The Working Party 29 Guidelines WP248 state that in most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carr ied out, however, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA. (5) The lists produced by the competent supervisory authorities support the same objective to identify processing operati ons likely to result in a high risk and processing operations, which therefore require a DPIA. As such, the criteria developed in the Working Party 29 Guidelines should be applied when assessing whether the draft lists of the competent supervisory authorit ies does not affect the consistent application of the GDPR. (6) Twenty - two competent supervisory authorities received an opinion on their draft lists from the EDPB on 5 September 2018. A further 4 SAs received an opinion on their draft lists on 4 Decembe r 2018, followed by 2 on 23 January 2019 and another 2 on 12 March 2019 . A global assessment of these draft lists supports the objective of a consistent application of the GDPR . (7) The opinion of the EDPB shall be adopted pursuant to Article 64( 3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon decision of the Chair, this period may be e xtended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: 1. Summary of the Facts 1. The Office of the Commissioner of Personal Data Protection in Cyprus (hereafter Cypriot Supervisory Authority) ha s submitted its draft list to the EDPB. The decision on the completeness of the file was taken on 5 April 2019. The period until which the opinion has to be adopted has been extended until 12 July 2019. 1 WP29, Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01). 2 EDPB, Endorsement 1/2018 . A dopted 5 2. Assessment 2.1 General reasoning of t he EDPB regarding the submitted list 2. Any list submitted to the EDPB has been interpreted as further specifying Art 35(1) , which will prevail in any case. Thus, no list can be exhaustive. 3. In compliance with Article 35 ( 10 ) GDPR, the Board is of the opinion that if a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of the legal basis the obligation to carry out a DPIA in accordance with paragraphs 1 to 7 of Article 35 GDPR does not apply, unless the Membe r State deems it necessary. 4. Further, if the Board requests a DPIA for a certain category of processing and an equivalent measure is already required by national law, the Cypriot Supervisory Authority Protection shall add a reference to this measure. 5. This opinion does not reflect upon items submitted by the Cypriot Supervisory Authority, which were deemed outside the scope of Article 35(6) GDPR. This refers to items that neither relate “to the offering of goods or services to data subjects” in several Member States nor to the monitoring of the behaviour of data subjects in several Member States. Additionally, they are not likely to “substan tially affect the free movement of personal data within the Union”. This is especially the case for items relating to national legislation and in particular, where the obligation to carry out a DPIA is stipulated in national legislation. Further, any proce ssing operations that relate to law enforcement were deemed out of scope, as they are not in scope of the GDPR. 6. The Board has noted that several supervisory authorities have included in their lists some types of processing which are necessarily local proce ssing. Given that only cross border processing and processing that may affect the free flow of personal data and data subjects are concerned by Article 35(6) , the Board will not comment on those local processing. 7. The opinion aims at defining a consistent c ore of processing operations that are recurrent in the lists provided by the SAs. 8. This means that, for a limited number of types of processing operations that will be defined in a harmonised way, all the Supervisory Authorities will require a DPIA to be c arried out and the Board will recommend the SAs to amend their lists accordingly in order to ensure consistency. 9. When this opinion remains silent on DPIA list entries submitted, it means that the Board is not asking the Cypriot Supervisory Authority to ta ke further action. 10. Finally, the Board recalls that transparency is key for data controllers and data processors. In order to clarify the entries in the list, the Board is of the opinion that making an explicit reference in the lists, for each type of pro cessing, to the criteria set out in the guidelines could improve this transparency. Therefore, the Board considers that an explanation on which criteria have been taken into account by the Cypriot Supervisory Authority to create its list could be added. A dopted 6 2.2 Application of the consistency mechanism to the draft list 11. The draft list submitted by the Cypriot Supervisory Authority relates to the offering of goods or services to data subjects, relates to the monitoring of their behaviour in several Member State s and/or may substantially affect the free movement of personal data within the Union mainly because the processing operations in the submitted draft list are not limited to data subjects in this country. 2.3 Analysis of the d raft list 12. Taking into accoun t that: a. Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons; and b. Article 35 (3) GDPR provides a non - exhaustive list of types of processing that require a DPIA, the Board is of the opinion that: REFERENCE TO THE GUI DELINES 13. The board is of the opinion that the analysis done in the Working Party 29 Guidelines WP248 is a core element for ensuring consistency across the Union. Thus, it requests the different Supervis ory Authorities to add a statement to the document containing their list that clarifies that their list is based on these guidelines and that it complements and further specifies the guidelines. 14. As the document of the Cypriot Supervisory Authority does no t contain such a statement, the Board recommends the Office of the Commissioner of Personal Data Protection to amend their document accordingly. MONITORING EMPLOYEES 15. The Board is of the opinion that, due to its specific nature, the employee monitoring proc essing, meeting the criterion of vulnerable data subjects and of systematic monitoring in the guidelines, – could require a DPIA. Given that the list submitted by the Cypriot Supervisory Authority for an opinion of the Board already envisages this type of processing as requiring a data protection impact assessment, the Board solely recommends making explicit the reference to the two criteria in the guidelines WP29 Guidelines WP248. In addition, the Board is of the opinion that the WP249 of the Article 29 w orking party remains valid when defining the concept of the systematic processing of employee data. BIOMETRIC AND GENETI C DATA 16. The list submitted by the Cypriot Supervisory Authority for an opinion of the Board envisages that the large - scale processing of “ biometric and genetic data ” requires a DPIA. On this point, the Board acknowledges that the list aligns with the aim of consistency. However, the Board notes that the phrasing use might lead to the conclusion that the la rge scale processing of biometric data must take place cumulatively with genetic data, whereas it should be a disjunctive condition. Therefore, the Board recommends that the phrasing be changed to ‘biometric or genetic data’. A dopted 7 LOCATION DATA 17. The Board is of the opinion that consistency is one of the basic principle s of the GDPR. The Board notes that a majority of the lists submitted explicitly contain a reference to the processing of location data. As the list submitted by the Cypriot Supervisory Authority fo r an opinion do es not contain such a reference, the Board encourages the Cypriot Supervisory Authority to include the processing of location data in its list, together with another criterion. 3. Conclusions / Recommendations 18. The draft list of the Cypriot Supervisory Authority may lead to an inconsistent application of the requirement for a DPIA and the following changes need to made: Regarding the reference to the guidelines: the Board requests the Supervisory Authority of Cyprus to amend its document acco rdingly. Regarding employee monitoring: the Board solely recommends making explicit the reference to the two criteria in the guidelines WP29 Guidelines WP248. Regarding ‘ biometric and genetic data ’ : the Board recommends that the phrasing be changed to ‘biometric or genetic data’ . Regarding location data: the Board encourages the Cypriot Supervisory Authority to include the processing of location data in its list, together with another criterion. A dopted 8 4. Final Remarks 19. This opinion is addressed to The Offic e of the Commissioner of Personal Data Protection in Cyprus (Cypriot Supervisory Authority) and will be mad e public pursuant to Article 64 (5 )( b) GDPR. 20. According to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list o r where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. For the European Data Protection Board The Chair (Andrea Jelinek)