# Opinion 18/2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR)

- Type: Guidance
- Source: EDPB
- Identifier: opinion-182018-on-the-draft-list-of-the-competent-supervisory-en
- Date: 2018-10-03
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-182018-on-the-draft-list-of-the-competent-supervisory_en
- Canonical: https://overview.legal/posts/126297
- Topics: Employees, Health Data, Data Controller, Types of Special Categories of Personal Data, Human Resources, DPIA, Monitoring, Transparency, Privacy Impact Assessment, Genetic Data

## Summary

Opinion 18 /2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) Adopted on 25th September 2018 2 Contents 1. Summary of the Facts ................................ ................................ ................................ ........ 4 2. Assessment ................................ ................................ ................................…

## Full text

Opinion 18 /2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) Adopted on 25th September 2018 2 Contents 1. Summary of the Facts ................................ ................................ ................................ ........ 4 2. Assessment ................................ ................................ ................................ ........................ 5 2.1 General reasoning of the EDPB regarding the submitted list ................................ ..... 5 2.2 Application of the consistency mechanism to the draft list ................................ ....... 6 2.3 Analysis of the draft list ................................ ................................ ............................... 6 Reference to the Guidelines ................................ ................................ .............................. 6 Biometric data ................................ ................................ ................................ .................... 6 Genetic data ................................ ................................ ................................ ....................... 6 Location data ................................ ................................ ................................ ..................... 7 Processing for scientific or historical purposes without consent ................................ ...... 7 Further processing ................................ ................................ ................................ ............. 7 Exceptions to information to be provided to the data subject according to article 14.5 GDPR ................................ ................................ ................................ ................................ .. 7 Employee Monitoring ................................ ................................ ................................ ........ 8 Processing car ried out with the aid of an implant ................................ ............................. 8 Interfaces of personal electronic Device unprotected against unauthorized readout ..... 8 Processing using new/innovative technology ................................ ................................ ... 8 3. Conclusions / Recommendations ................................ ................................ ...................... 9 4. Final Remarks ................................ ................................ ................................ ................... 1 0 3 The European Data Protection Board Having regard to Article 63, Article 64 (1a), (3) - (8) and Article 35 (1), (3), (4), (6) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018 , Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2016/679 (here after GDPR) throughout the European Economic Area. In compliance with article 64.1 GDPR, the Board has to issue an opinion where a superviso ry authority intends to adopt a list of processing operations subject to the requirement for a data protection impact assessment pursuant to article 35.4 GDPR. The aim of this opinion is therefore to create a harmonized approach with regard to processing t hat is cross border or that can affect the free flow of personal data or natural person across the European Union. Even though the GDPR doesn’t impose a single list, it does promote consistency. The Board seeks to achieve this objective in its opinions fi rstly by requesting SAs to include some types of processing in their lists, secondly by requesting them to remove some criteria which the Board doesn’t consider as necessarily creating high risks for data subjects, and finally by requesting them to use som e criteria in a harmonized manner. (2) With reference to A rticle 35 (4) and (6) GDPR, the competent supervisory authorities shall establish lists of the kind of processing operations which are subject to the requirement for a data protection impact assessm ent (hereinafter “DPIA” ) . They shall, however, apply the consistency mechanism where such lists involve processing operations, which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union . (3) While the draft lists of the competent supervisory authorities are subject to the consistency mechanism, this does not mean that the lists should be identical . T he competent supervisory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation . The aim of the EDPB assessment/opinion is not to reach a single EU list but rather to avo id significant inconsistencies that may affect the equivalent protection of the data subjects. (4) The carrying out of a DPIA is only mandatory for the controller pursuant to Article 35 (1) GDPR where processing is “likely to result in a high risk to the r ights and freedoms of natural 4 persons”. Article 35 (3) GDPR illustrates what is likely to result in a high risk. This is a non - exhaustive list. The Working Party 29 in the Guidelines on data protection impact assessment 1 , as endorsed by the EDPB 2 , has clar ified criteria that can help to identify when processing operations are subject to the requirement for a DPIA. The Working Party 29 Guidelines WP248 state that in most cases, a data controller can consider that a processing meeting two criteria would requi re a DPIA to be carried out, however, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA. (5) The lists produced by the competent supervisory authorities support the same objective to identify processing operations likely to result in a high risk and processing operations, which therefore require a DPIA. As such , the criteria developed in the Working Party 29 Guidelines should be applied when assessing whether the draft lists of the competent supervisory authorities does not affect the consistent application of the GDPR. (6 ) T wenty - two competent supervisory autho rities have submitted their draft lists to the EDPB. A global assessment of these draft lists supports the objective of a consistent application of the GDPR even though the complexity of the subject matter increases. (7) The opinion of the EDPB shall be a dopted pursuant to Article 64 (3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon deci sion of the Chair , this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION : 1. Summary of the Facts The Comissão Nacional de Protecção de Dados - CNPD ( hereafter Portuguese Supervis ory Authority) has submitted its draft list to the EDPB. The decision on the completeness of the file was taken on 10th of July 2018 . This period until which the opinion to be adopted has been extended until the 25th of September taking into account the co mplexity of the subject matter considering that at the same time twenty - two competent supervisory authorities submitted the draft lists and thus the need for a global assessment arose . 1 WP29, Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01). 2 EDPB, Endorsement 1/2018 . 5 2. Assessment 2.1 General reasoning of the EDPB regarding the submitted list Any list submitted to the EDPB has been interpreted as further specifying Art 35.1, which will prevail in any case. Thus , no list can be exhaustive. In compliance with article 35.10 GDPR, the Board is of the opinion that if a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of the legal basis the obligation to carry out a DPIA in accordance with paragraphs 1 to 7 of article 35 GDPR does not apply, unless the Member State deems it necessary. Further, if the Board requests a DPIA for a certain category of processing and an equivalent measure is already required by national law, the Portuguese Supervisory Authority shall add a reference to this measure. This opinion does not reflect upon items submitted by the Portuguese Supervisory Authority , which were deemed outside the scope of Article 35.6 GDPR. T h is refers to items that neither relate “ to the offering of goods or services to data subjects ” in several Member States n or to the monitoring of the behavi our of data subjects in several Member States . Additionally , they are not likely to “ substantially affect the free movement of personal data within the Union ” . This is especially the case for items relating to national legislation and in particular where t he obligation to carry out a DPIA is stipulated in national legislation . Further, any processing operations that relate to law enforcement were deemed out of scope, as they are not in scope of the GDPR. The Board has noted that several supervisory authorit ies have included in their lists some types of processing which are necessarily local processing. Given that only cross border processing and processing that may affect the free flow of personal data and data subjects are concerned by Article 35.6, the Boa rd will not comment on those local processing. The opinion a im s at defining a consistent core of processing operations that are recurrent in the lists provided by the SAs. This means that, for a limited number of types of processing operations, that will be defined in a harmonised way, all the Supervisory Authorities will require a DPIA to be carried out and the Board will recommend the SAs to amend their lists accordingly in order to ensure consistency. When this opinion remains silent on DPIA list entri es submitted, it means that the Board is not asking the Portuguese Supervisory Authority to take further action. Finally, the Board recalls that transparency is key for data controllers and data processors. In order to clarify the entries in the list, the Board is of the opinion that making an explicit reference in the lists, for each type of processing, to the crite ria set out in the guidelines could improve this transparency. Therefore, the Board considers that an explanation on which 6 criteria have been taken into account by the Portuguese Supervisory Authority to create its list could be added. 2.2 Application of the c onsistency mechanism to the draft list The submitted draft list by the Portuguese Supervisory Authority relate s to the offering of goods or services to data subjects, relate s to the monitoring of their behaviour in several Member States and/or may substant ially affect the free movement of personal data within the Union mainly because the processing operations in the submitted draft list are not limited to data subjects in this country. 2.3 Analysis of the draft list Taking into account that : a. A rticle 35 ( 1 ) GDPR require s a DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons; and b. A rticle 35 ( 3 ) GDPR provides a non - exhaustive list of types of processing that require a DPIA , the Board is of the opinion that : R EFERENCE TO THE G UIDELINES The board is of the opinion that the analysis done in the Working Party 29 Guidelines WP248 are a core element for ensuring consistency across the Union. Thus, it requests the different Supervisor Authorities to add a statement to the document containing their list that clarifies that their list is based on these guidelines and that it complement s and further specifies the guidelines. As the document of the Portuguese Supervisory Authority does not contain such a statement, the B o ard recommends the Portuguese Supervisory Authority to amend its document accordingly. B IOMETRIC DATA The list submitted by the Portuguese Supervisory Authority for an opinion of the Board states, that the processing of biometric data falls under the obligation to perform a DPIA on its own. The Board is of the opinion that the processing of biometric data on its own is not necessarily likely to represent a high risk. However, the processing of biometric data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion requires a DPIA to be carried out. As such, t he Board requests the Portuguese Supervisory Authority to amend its list accordingly, by adding that the item referencing the processing of biometric data for the purpose of uniquely identifying a natural person requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion , to be applied without prejudice to article 35(3) GDPR. G ENETIC DATA The list submitted by the Portuguese Supervisory Authority for an opinion of the Board does not currently require a DPIA to be d one for the processing of genetic data. The Board is of the 7 opinion that the processing of genetic data on its own is not necessarily likely to represent a high risk. However, the processing of genetic data in conjunction with at least one other criterion requires a DPIA to be carried out. As such, the Board requests the Portuguese Supervisory Authority to amend its list accordingly, by adding explicitly the processing of genetic data in conjunction with at least one other criterion to its list , to be appli ed without prejudice to article 35(3) GDPR. L OCATION DATA The Board is of the opinion that the processing of location data on its own is not necessarily likely to represent a high risk. However, the processing of location data in conjunction with at least one other criterion requires a DPIA to be carried out. The list submitted by the Portuguese Supervisory Authority for an opinion of the Board does currently require a DPIA to be carried out when there is a processing of location data on its own. The Board requests the Portuguese Supervisory Authority to amend its list accordingly, by adding that the item referencing the processing of location data requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion . P ROCESSI NG FOR SCIENTIFIC OR HISTORICAL PURPOSE S WITHOUT CONSENT The Board is of the opinion that the processing of personal data for scientific or historical purpose s on its own is not necessarily likely to represent a high risk. However, the processing of personal data for scientific or historical purpose in conjunction wit h at least one other criterion does require a DPIA to be carried out. The list submitted by the Portuguese Supervisory Authority for an opinion of the Board states that this type of processing in conjunction with at least one other criterion falls under the obligation to perform a DPIA. The Board takes note of the inclusion of this criterion in the l ist. F URTHER PROCESSING The Board is of the opinion that further processing of personal data should not be a criterion leading to an obligation to do a DPIA, alone or with another criterion. The list submitted by the Portuguese Supervisory Authority for an opinion of the Board does currently require a DPIA to be carried out for the further processing of personal data. The Board requests the Portuguese Supervisory Authority to amend its list accordingly, by removing this criterion. E XCEPTIONS TO INFORMA TION TO BE PROVIDED TO TH E DATA SUBJECT ACCOR DING TO ARTICLE 14.5 GDPR The Board is of the opinion that types of processing activities that could deprive the data subjects from their rights do not represent a high risk on their own. Therefore, a processing acti vity conducted by the controller under article 14 GDPR and where the information to be given to the data subjects is subject to an exemption under article 14.5 (b) - (d) could require a DPIA to be carried out only in conjunction with at least on e other crite rion. The list submitted by the Portuguese Supervisory Authority for an opinion of the Board does currently require a DPIA to be done for the processing of data where article 14(5), para (b), (c) and (d) applies on its own. The Board requests the Portugues e Supervisory Authority to amend its list 8 accordingly , by adding that it requires a DPIA only in conjunction with at least one other criterion. E MPLOYEE M ONITORING The Board is of the opinion that, due to its specific nature, the employee monitoring proces sing, meeting the criterion of vulnerable data subjects and of systematic monitoring in the guidelines, – could require a DPIA. Given that the list submitted by the Portuguese Supervisory Authority for an opinion of the Board already envisages this type of processing as requiring a data protection impact assessment, the Board solely recommends making explicit the reference to the two criteria in the guidelines WP29 Guidelines WP248. In addition, the Board is of the opinion that the WP249 of the Article 29 w orking party remains valid when defining the concept of the systematic processing of employee data. P ROCESSING CARRIED OU T WITH THE AID OF AN IMPLANT The Board is of the opinion that, the processing of non - health data with the aid of an implant does not re quire a DPIA in every instance . The list submitted by the Portuguese Supervisory Authority for an opinion of the Board does currently not clarify that a DPIA i s to be done for the processing of health data with the aid of an implant. As such, the Board req uests the Portuguese Supervisory Authority to amend its list accordingly, by stating that in any event the processing of health data with the aid of an implant requires a DPIA to be carried out. I NTERFACES OF PERSONA L ELECTRONIC D EVICE UNPROTECTED AG AINST UNAUTHORIZED READOUT The Board is of the opinion that the processing made in the context of the collection of personal data via interfaces of personal electronic devices, which are not protected against unauthorized readout, should not be a criterion leadi ng to an obligation to do a DPIA, alone or with another criterion. Given that the list submitted by the Portuguese Supervisory Authority for an opinion of the Board envisages this type of processing as requiring a data protection impact assessment in its i tem 2 , the Board requests the Portuguese Supervisory Authority to amend its list accordingly. P ROCESSING USING NEW / INNOVATIVE TECHNOLOG Y The list submitted by the Portuguese Supervisory Authority for an opinion of the Board envisages that the use of new or innovative technology, on its own, requires a DPIA. The Board is of the opinion that the use of innovative technology on its own is not necessarily likely to represent a high risk. However, the use of innovative technology in conjunction with at least one other criterion requires a DPIA to be carried out. Therefore, the Board requests the Portuguese Supervisory Authority to amend its list accordingly, firstly by referring in their list to innovat ive technology and secondly by adding that the item requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion . 9 3. Conclusions / Recommendations The draft list of the Portuguese Supervisory Authority may lead to an inconsistent application of the requirement for a DPIA and the following changes need to ma d e :  Regarding the reference to the guidelines : the Board requests the Portuguese Supervisory Authority to amend its document accordingly.  Regarding biometric data: the Board requests the Portuguese Supervisory Authority to amend its list by adding that the item referencing the processing of biometric data for the purpose of uniquely identifying a natural person requires a DPIA to be carried out only when it is done i n conjunction of at least one other criterion .  Regarding genetic data: the Board requests the Portuguese Supervisory Authority to amend its list by adding explicitly the processing of genetic data in conjunction with at least one other criterion to its list.  Regarding location data: the Board requests the Portuguese Supervisory Authority to amend its list by adding that the item referencing the processing of location data requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion.  Regarding further processing: the Board requests the Portuguese Supervisory Authority to amend its list accor dingly, by removing this criterion.  Regarding the exceptions to the information to be given to the data subjects according to article 14.5 GDPR: the Board requests the Portuguese Supervisory Authority to amend its list by adding that it requires a DPIA onl y in conjunction with at least one other criterion  Regarding employment monitoring: the Board solely recommends making explicit the reference to the two criteria in the gu idelines WP29 Guidelines WP248.  R egarding processing carried out with the aid of an i mplant: the Board requests the Portuguese Supervisory Authority to amend its list by stating that only the processing of health data with the aid of an implant requires a DPIA to be carried out .  Regarding interfaces of personal electronic devices un protect ed against unauthorized readout : the Board requests the Portuguese Supervisory Authority to amend its list by removing the reference to the collection of personal data via interfaces of personal electronic devices which are not protected against unauthoriz ed readout from its list.  Regarding processing using new or innovative technology: the Board requests the Portuguese Supervisory Authority to amend its list firstly by referring in their list to innovative technology and secondly by adding that the item re quires a DPIA to be carried out only when it is done in conjunction of at least one other criterion . 10 4. Final Remarks This opinion is addressed to the Comissão Nacional de Protecção de Dados - CNPD (Portuguese Supervisory Authority) and will be made public pursuant to Article 64 (5b) GDPR. According to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126297 · 2026-07-17
