The Spanish Data Protection authority has published the list of processing operations in which an impact assessment is mandatory. Thus, it will be necessary to carry out an impact assessment in cases where the processing meets at least two criteria of the list.
Regulation UE 2016/679, General Data Protection Regulation (GDPR) establishes in its article 35.1 that in those cases in which it is probable that the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out a data protection impact assessment, taking into account the origin, nature, particularity and severity of the risk. The same article, specifically in section 4, provides that each supervisory authority must establish the types of processing operations that require an impact assessment.
Based on the foregoing, the Spanish Data Protection authority has published the list of processing operations in which an impact assessment is mandatory. Thus, it will be necessary to carry out an impact assessment in cases where the processing meets at least two criteria of the list, among which are, for example:
- the profiling or assessment of subjects;
- observation, geolocation or systematically and exhaustively control;
- the processing that implies the use of special categories of personal data, data related to criminal convictions or data that allow to determine the economic solvency;
- the use of biometric data to uniquely identify a person;
- the use of genetic data;
- the use of large-scale data.
In this way, controllers have more security when determining which processing operations are likely to result in a high risk and therefore require an impact assessment.
The list has been communicated to the European Data Protection Board, which has issued a favourable opinion on it, following the criteria established in the assessment of all the lists sent by the national authorities.
If your company performs any type of processing activities that requires an impact assessment, please contact our office.