Opinion 26/2018 on the draft list of the competent supervisory authority of Luxembourg regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR)
1 Adopted EDPB Plenary meeting, 04/05.12.2018 Opinion 26 /2018 on the draft list of the competent supervisory authority of Luxembourg regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) Adopted on 4 December 2018 2 Adopted TABLE OF C ONTENTS 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment…
How it connects
Related across sources
Full text
1 Adopted EDPB Plenary meeting, 04/05.12.2018 Opinion 26 /2018 on the draft list of the competent supervisory authority of Luxembourg regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) Adopted on 4 December 2018 2 Adopted TABLE OF C ONTENTS 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................ ................................ ................................ ..... 5 2.1 General reasoning of the EDPB regarding the submitted list ................................ ................. 5 2.2 Application of the consistency mechanism to the draft list ................................ ................... 5 2.3 Analysis of the draft list ................................ ................................ ................................ .......... 6 2.3.1 Biometric data ................................ ................................ ................................ ................. 6 2.3.2 Genetic data ................................ ................................ ................................ .................... 6 2.3.3 Systematic monitoring of publicly accessible areas ................................ ........................ 6 2.3.4 Indirect collection of personal data when it is not possible / feasible to guarantee the right of information (article 14.5 GDPR) ................................ ................................ ........................ 7 3 Conclusions / Recommendations ................................ ................................ ................................ ... 7 4 Final Remarks ................................ ................................ ................................ ................................ . 8 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1a), (3) - (8) and Article 35 (1), (3), (4), (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here afte r “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 20 18, Whereas: (1) The main role of the Board is to ensure the consistent application o f the Regulation 2016/679 (here after GDPR) throughout the European Economic Area . In compliance with article 64.1 GDPR, the Board shall issue an opinion where a superviso ry authority (SA) intends to adopt a list of processing operations subject to the requirement for a data protection impact assessment pursuant to article 35.4 GDPR. The aim of this opinion is therefore to create a harmonised approach with regard to process ing that is cross border or that can affect the free flow of personal data or natural person across the European Union. Even though the GDPR doesn’t impose a single list, it does promote consistency. The Board seeks to achieve this objective in its opinio ns firstly by requesting SAs to include some types of processing in their lists, secondly by requesting them to remove some criteria which the Board doesn’t consider as necessarily creating high risks for data subjects, and finally by requesting them to us e some criteria in a harmonized manner. (2) With reference to A rticle 35 (4) and (6) GDPR, the competent supervisory authorities shall establish lists of the kind of processing operations which are subject to the requirement for a data protection impact as sessment (hereinafter “DPIA” ) . They shall, however, apply the consistency mechanism where such lists involve processing operations, which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several M ember States, or may substantially affect the free movement of personal data within the Union . (3) While the draft lists of the competent supervisory authorities are subject to the consistency mechanism, this does not mean that the lists should be identi cal . The competent supervisory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation . The aim of the EDPB assessment/opinion is not to reach a single EU list but rather to avoid significant inconsistencies that may affect the equivalent protection of the data subjects. (4) The carrying out of a DPIA is only mandatory for the controller pursuant to Article 35 (1) GDPR where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. Article 35 (3) GDPR illustrates what is likely to result in a high risk. This is a non - exhaustive list. The 4 Adopted Working Party 29 in the Guidelines on data protection impact assessment 1 , as endorsed by the EDPB 2 , ha s clarified criteria that can help to identify when processing operations are subject to the requirement for a DPIA. The Working Party 29 Guidelines WP248 state that i n most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out , h owever, in some cases a data controller can consider that a processing meeting only one of these criteria requires a DPIA. (5) The lists produced by the competent supervisory authorities support the same objective to i dentify processing operations likely to result in a high risk and processing operations, which therefore require a DPIA. As such , the criteria developed in the Working Party 29 Guidelines should be applied when assessing whether the draft lists of the comp etent supervisory authorities does not affect the consistent application of the GDPR. (6 ) T wenty - two competent supervisory authorities received an opinion on their draft lists from the EDPB on 5 September 2018 . A further 4 SAs submitted their draft list by early October . A global assessment of these draft lists supports the objective of a consistent application of the GDPR even though the complexity of the subject matter increases. (7) The opinion of the EDPB shall be adop ted pursuant to Article 64 (3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon decisio n of the Chair , this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1. The competent supervisory authority of Luxembourg has submitted its draft list to the EDPB. The decision on the completeness of the file was taken on the 28 th of July 2018 . Th e period until which the opinion has to be adopted has been extended until the 5 th of December 2018 taking into account the com plexity of the subject matter considering also the need to factor in the outcome of the review of the twenty - two draft lists previously submitted by competent supervisory authorities and the need for a global assessment of all of them . 1 WP29, Guidelines on Data Protection Impact Assessment and determining wh ether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01). 2 EDPB, Endorsement 1/2018 . 5 Adopted 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted list 2. Any list submitted to the EDPB has been interpreted as further specifying Art 35.1, which will prevail in any case. Thus , no list can be exhaustive. 3. In compliance with article 35.10 GDPR, the Board is of the opinion that if a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of the legal basis the obligation to carry out a DPIA in accordance with paragraphs 1 to 7 of article 35 GDPR does not apply, unle ss the Member State deems it necessary. 4. Further, if the Board requests a DPIA for a certain category of processing and an equivalent measure is already required by national law, the Commission nationale pour la protection des données (hereafter Luxembourg Supervisory Authority) shall add a reference to this measure. 5. This opinion does not reflect upon items submitted by the Luxembourg Supervisory Authority , which were deemed outside the scope of Article 35.6 GDPR. T h is refers to items that neither relate “ to the offering of goods or services to data subjects ” in several Member States n or to the monitoring of the behaviour of data subjects in several Member States . Additionally , they are not likely to “ substantially affect the free movement of personal data wi thin the Union ” . This is especially the case for items relating to national legislation and in particular where the obligation to carry out a DPIA is stipulated in national legislation . Further, any processing operations that relate to law enforcement were deemed out of scope, as they are not in scope of the GDPR. 6. The Board has noted that several supervisory authorities have included in their lists some types of processing which are necessarily local processing. Given that only cross border processing and processing that may affect the free flow of personal data and data subjects are concerned by Article 35.6, the Board will not comment on those local processing. 7. The opinion a im s at defining a consistent core of processing operations that are recurrent in t he lists provided by the SAs. 8. This means that, for a limited number of types of processing operations that will be defined in a harmonized way, all the Supervisory Authorities will require a DPIA to be carried out and the Board will recommend the SAs to a mend their lists accordingly in order to ensure consistency. 9. When this opinion remains silent on DPIA list entries submitted, it means that the Board is not asking the Luxembourg Supervisory Authority to take further action. 10. Finally, the Board recalls t hat transparency is key for data controllers and data processors. In order to clarify the entries in the list, the Board is of the opinion that making an explicit reference in the lists, for each type of processing, to the criteria set out in the guideline s could improve this transparency. Therefore, the Board considers that an explanation on which criteria have been taken into account by the Luxembourg Supervisory Authority to create its list could be added. 2.2 Application of the consistency mechanism to the draft list 11. The draft list submitted by the Luxembourg Supervisory Authority relate s to the offering of goods or services to data subjects, relate s to the monitoring of their behavior in several Member States and/or 6 Adopted may substantially affect the free movemen t of personal data within the Union mainly because the processing operations in the submitted draft list are not limited to data subjects in this country. 2.3 Analysis of the draft list 12. Taking into account that : a. A rticle 35 ( 1 ) GDPR require s a DPIA when the pro cessing activity is likely to result in a high risk to the rights and freedoms of natural persons; and b. A rticle 35 ( 3 ) GDPR provides a non - exhaustive list of types of processing that require a DPIA , the Board is of the opinion that : 2.3.1 Biometric data 13. The list submitted by the Luxembourg Supervisory Authority for an opinion of the Board states, that the processing of biometric data as defined under GDPR article 4(14) and which has as a purpose identification of data subjects in and of itself falls under the obligation to perform a DPIA. The Board is of the opinion that the processing of biometric data is not necessarily likely to represent a high risk per se. However, the processing of biometric data for the purpose of uniquely identifying a natural pers on in conjunction with at least one other criterion requires a DPIA to be carried out. Therefore the Board requests the Luxembourg Supervisory Authority to amend its list accordingly, by adding that the item referencing the processing of biometric data for the purpose of uniquely identifying a natural person requires a DPIA to be carried out only when it is done in conjunction with at least one other criterion, to be applied without prejudice to article 35(3) GDPR. 2.3.2 Genetic data 14. The list submitted by the Lux embourg Supervisory Authority for an opinion of the Board states, that the processing of genetic data in and of itself falls under the obligation to perform a DPIA. The Board is of the opinion that the processing of genetic data is not necessarily likely t o represent a high risk per se. However, the processing of genetic data in conjunction with at least one other criterion requires a DPIA to be carried out. Therefore the Board requests the Luxembourg Supervisory Authority to amend its list accordingly, by adding that the item referencing the processing of genetic data requires a DPIA to be carried out only when it is done in conjunction with at least one other criterion, to be applied without prejudice to article 35(3) GDPR. 2.3.3 Systematic monitoring of publicl y accessible areas 15. The list submitted by the Luxembourg Supervisory Authority for an opinion of the Board states, that the processing activities that consist of or include regular and systematic monitoring of publicly accessible areas falls under the oblig ation to perform a DPIA – provided that data is stored. The Board is of the opinion that the processing activities that consist of or include regular and systematic monitoring of publicly accessible areas are not necessarily likely to represent a high risk . However, in conjunction with at least one other criterion such processing is likely to present a high risk and requires a DPIA to be carried out. Therefore the Board requests the Luxembourg Supervisory Authority to amend its list accordingly, by adding t hat the item referencing the processing activities that consist of or include regular and systematic monitoring of publicly accessible areas requires a DPIA to be carried 7 Adopted out only when it is done in conjunction with at least one other criterion, to be appl ied without prejudice to article 35(3) GDPR. 2.3.4 Indirect collection of personal data when it is not possible / feasible to guarantee the right of information (article 14.5 GDPR) 16. The list submitted by the Luxembourg Supervisory Authority for an opinion of the Board states, that the processing activities based on indirect collection of personal data when it is not possible / feasible to guarantee the right of information fall under the obligation to perform a DPIA. The Board is of the opinion that types of proce ssing activities that could deprive the data subjects from their rights do not necessarily represent a high risk on their own. Therefore, a processing activity conducted by the controller under article 14 GDPR and where the information to be given to the d ata subjects is subject to an exemption under article 14.5 could require a DPIA to be carried out only in conjunction with at least one other criterion. The Board points out that the exceptions to the obligation of informing the data subjects are only poss ible when the data has been collected by a third party. Therefore in this case the mention of indirect collection does not count as a second criterion. 17. The Board requests the Luxembourg Supervisory Authority to amend its list accordingly, by adding that t he item referencing the processing activities based on indirect collection of personal data when it is not possible / feasible to guarantee the right of information requires a DPIA to be carried out only when it is done in conjunction wi th at least one oth er criterion . 3 CONCLUSIONS / RECOMM ENDATIONS 18. The draft list of the Luxembourg Supervisory Authority may lead to an inconsistent application of the requirement for a DPIA and the following changes need to ma d e : Regarding biometric data: the Board requests th e Luxembourg Supervisory Authority to amend its list by adding that the item referencing the processing of biometric data for the purpose of uniquely identifying a natural person requires a DPIA to be carried out only when it is done in conjunction with at least one other criterion Regarding genetic data: the Board requests the Luxembourg Supervisory Authority to amend its list by adding that the item referencing the processing of genetic data requires a DPIA to be carried out only when it is done in conjun ction with at least one other criterion. Regarding the systematic monitoring of publicly available areas: the Board requests the Luxembourg Supervisory Authority to amend its list by adding that the item referencing the processing activities that consist o f or include regular and systematic monitoring of publicly accessible areas requires a DPIA to be carried out only when it is done in conjunction with at least one other criterion Regarding the Indirect collection of personal data when it is not possible / feasible to guarantee the right of information: the Board requests the Luxembourg Supervisory Authority to amend its list by adding that the item referencing the processing activities based on indirect collection of personal data when it is not possible / feasible to guarantee the right of information requires a DPIA to be carried out only when it is done in conjunction with at least one other criterion . 8 Adopted 4 FINAL REMARKS 19. This opinion is addressed to the Commission nationale pour la protection des données ( Luxembourg Supervisory Authority) and will be made public pursuant to Article 64 (5b) GDPR. 20. According to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow thi s opinion, in whole or in part. For the European Data Protection Board The Chair (Andrea Jelinek)