The General Data Protection Regulation (“GDPR") imposes quite a few obligations, including the obligation to carry out Data Protection Impact Assessments (“DPIAs”). A DPIA may in particular be required in specific cases. Where a type of processing is listed by the Dutch Data Protection Authority (“DPA”), a DPIA is a definite requirement. The DPA recently expanded its list to include the category ‘biometric data’, the upshot being that your organisation may now be required to carry out a DPIA. This blog aims to explain how the GDPR defines the term biometric data and the standards with which DPIAs have to comply.
Data Protection Impact Assessments
DPIAs (the full Dutch term being gegevensbeschermingseffectenbeoordeling) allow controllers to assess in advance privacy risks associated with a proposed type of processing. Based on the results, controllers can then take such measures as would be necessary to reduce or eliminate such risks.
The GDPR requires the controller to carry out a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”(Article 35(1) GDPR).
It follows from the DPA's Guidelines on DPIAs (‘Richtsnoeren voor gegevensbeschermingseffectenbeoordelingen’) that there are nine other criteria that may act as indicators of likely high-risk processing, which would require a DPIA pursuant to Article 35(a) GDPR. These criteria include: evaluation or scoring, sensitive data or data of highly personal nature, and the innovative use or applying new technological or organisational solutions
What standards do DPIAs need to comply with?
There is no single mandatory methodology to be used in the implementation of a DPIA. However, the GDPR does set out the minimum features of a DPIA. They are: (1) a systematic description of the envisaged processing operations, (2) an assessment of the necessity and proportionality of the processing in view of the purposes of that processing, (3) an assessment of the risks to the rights and freedoms of the data subjects, and (4) a description of the measures envisaged to address those risks. The Data Protection Officer - if one has been appointed - must be consulted before the DPIA is implemented.
If the attempt to identify and subsequently eliminate risks through the use of a DPIA has been unsuccessful and, as a consequence, the type of processing still carries too high a risk, the controller needs to consult with the Dutch DPA before going ahead with the processing. This is also known as prior consultation. Under this prior consultation process, the Dutch DPA provides advice on whether the processing is lawful.
We should not in conclusion that the controller is required to continue to assess whether the processing complies with outcomes of the DPIA, in particular when circumstances have changed.
The Dutch DPA's list of types of processing operations
Article 35 GDPR requires the Dutch DPA to establish and make public a list of the types of processing operations that are subject to the requirement for a DPIA. Having first issued a number of draft versions, the DPA recently made public its definitive list.
The new kid on the block (or rather, the list) is biometric data. A DPIA is required ahead of every processing operation involving biometric data. According to the Dutch DPA, the processing of biometric data encompasses systematic monitoring, large-scale data processing, and the innovative use and application of new technological or organisational solutions, all of which are mentioned as high-risk indicators in the Guidelines.
Biometric data
The GDPR defines biometric data as follows: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Article 4(14) GDPR).
It should be noted here that in the recitals to the GDPR it is considered that the processing of photographs should not systematically be considered to be processing of biometric data - photographs would only be considered biometric data if processed through a technical means allowing the unique identification or authentication of a natural person.
Biometric data are considered special personal data. As a consequence, the processing of biometric data is prohibited in principle, unless one of the exceptions of Article 9(2) GDPR applies.
The Dutch legislator incorporated in the GDPR Implementation Act (“GDPRIA”) an additional (specific) exception to the prohibition against the processing of biometric data. Under this clause, biometric data may be processed if necessary for authentication and security purposes (Article 29 GDPRIA).
Interest of carrying out and recording the DPIA
Accountability makes organisations responsible for complying with the GDPR and demonstrating this compliance. They must in this context be able to present DPIAs if so requested.
Consequently, it is in the best interests of organisations to examine whether they are required to carry out DPIAs and then either record the reasons for the absence of such requirement, or record the DPIA in writing.
Legal advise or more information
If you need assistance with the process of implementing a DPIA or if you need to know when you are required to carry out a DPIA, please do not hesitation to contact Martin Hemmer.
Author of this blog: Sophie Hendriks.
The General Data Protection Regulation (“GDPR") imposes quite a few obligations, including the obligation to carry out Data Protection Impact Assessments (“DPIAs”). A DPIA may in particular be required in specific cases. Where a type of processing is listed by the Dutch Data Protection Authority (“DPA”), a DPIA is a definite requirement. The DPA recently expanded its list to include the category ‘biometric data’, the upshot being that your organisation may now be required to carry out a DPIA. This blog aims to explain how the GDPR defines the term biometric data and the standards with which DPIAs have to comply.
Data Protection Impact Assessments
DPIAs (the full Dutch term being gegevensbeschermingseffectenbeoordeling) allow controllers to assess in advance privacy risks associated with a proposed type of processing. Based on the results, controllers can then take such measures as would be necessary to reduce or eliminate such risks.
The GDPR requires the controller to carry out a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”(Article 35(1) GDPR).
It follows from the DPA's Guidelines on DPIAs (‘Richtsnoeren voor gegevensbeschermingseffectenbeoordelingen’) that there are nine other criteria that may act as indicators of likely high-risk processing, which would require a DPIA pursuant to Article 35(a) GDPR. These criteria include: evaluation or scoring, sensitive data or data of highly personal nature, and the innovative use or applying new technological or organisational solutions
What standards do DPIAs need to comply with?
There is no single mandatory methodology to be used in the implementation of a DPIA. However, the GDPR does set out the minimum features of a DPIA. They are: (1) a systematic description of the envisaged processing operations, (2) an assessment of the necessity and proportionality of the processing in view of the purposes of that processing, (3) an assessment of the risks to the rights and freedoms of the data subjects, and (4) a description of the measures envisaged to address those risks. The Data Protection Officer - if one has been appointed - must be consulted before the DPIA is implemented.
If the attempt to identify and subsequently eliminate risks through the use of a DPIA has been unsuccessful and, as a consequence, the type of processing still carries too high a risk, the controller needs to consult with the Dutch DPA before going ahead with the processing. This is also known as prior consultation. Under this prior consultation process, the Dutch DPA provides advice on whether the processing is lawful.
We should not in conclusion that the controller is required to continue to assess whether the processing complies with outcomes of the DPIA, in particular when circumstances have changed.
The Dutch DPA's list of types of processing operations
Article 35 GDPR requires the Dutch DPA to establish and make public a list of the types of processing operations that are subject to the requirement for a DPIA. Having first issued a number of draft versions, the DPA recently made public its definitive list.
The new kid on the block (or rather, the list) is biometric data. A DPIA is required ahead of every processing operation involving biometric data. According to the Dutch DPA, the processing of biometric data encompasses systematic monitoring, large-scale data processing, and the innovative use and application of new technological or organisational solutions, all of which are mentioned as high-risk indicators in the Guidelines.
Biometric data
The GDPR defines biometric data as follows: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Article 4(14) GDPR).
It should be noted here that in the recitals to the GDPR it is considered that the processing of photographs should not systematically be considered to be processing of biometric data - photographs would only be considered biometric data if processed through a technical means allowing the unique identification or authentication of a natural person.
Biometric data are considered special personal data. As a consequence, the processing of biometric data is prohibited in principle, unless one of the exceptions of Article 9(2) GDPR applies.
The Dutch legislator incorporated in the GDPR Implementation Act (“GDPRIA”) an additional (specific) exception to the prohibition against the processing of biometric data. Under this clause, biometric data may be processed if necessary for authentication and security purposes (Article 29 GDPRIA).
Interest of carrying out and recording the DPIA
Accountability makes organisations responsible for complying with the GDPR and demonstrating this compliance. They must in this context be able to present DPIAs if so requested.
Consequently, it is in the best interests of organisations to examine whether they are required to carry out DPIAs and then either record the reasons for the absence of such requirement, or record the DPIA in writing.
Legal advise or more information
If you need assistance with the process of implementing a DPIA or if you need to know when you are required to carry out a DPIA, please do not hesitation to contact Martin Hemmer.
Author of this blog: Sophie Hendriks.