DPIA. Catalan Data Protection Authority

When is an impact assessment needed?

The Regulation states that this must be done when it is probable that a processing operation poses a high risk to people. It does not specify what a high risk is, but says aspects such as the use of new technologies, as well as the nature, scope, context and purpose of the processing should be considered.

In particular, the Regulation requires that a DPIA be carried out in the following 3 cases:

Systematic evaluation of personal aspects based on automated processing, on which decisions are based that significantly affect people.
Large-scale processing of special categories of data or data relating to criminal offences or convictions.
Systematic large-scale monitoring of a publicly accessible area.

In addition, it requires each data protection authority to publish a list of processing operations that require a DPIA. In the case of the Catalan Data Protection Authority, this list can be consulted here. For organisations under the jurisdiction of the Spanish Data Protection Authority, the list can be consulted here here

An impact assessment may also need to be carried out as a result of the extra guarantees required by the Regulation for archiving purposes in the public interest, statistics or scientific or historical research, if so determined by the legislation of the Member State (the LOPDGDD, in our case).

On the other hand, the Regulation specifies that impact assessments are not required for processing operations based on a legal obligation or for the performance of a task carried out in the public interest, where there is a law of the Member State or of the Union governing this and the impact assessment has been carried out in the process of passing this law.

If in doubt, it is advisable to perform the impact assessment, especially in the case of the most complex processing operations.

How should an impact assessment be structured?

The GDPR establishes the minimum content that an impact assessment must have:

Systematic description of the processing operations and purposes.
Assessment of the necessity and proportionality of the processing operations in relation to the purposes.
Assessment of the risks to the rights and freedoms of data subjects.
The measures envisaged to address the risks.

Apart from this minimum content, the Regulation does not provide further information on how an impact assessment should be structured or how this minimum content should be met. That is why more detailed descriptions of the content and even specific impact assessment models have been proposed.

Regarding how to comply with the minimum content of an impact assessment, the information in Annex 2 of the document "Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of Regulation 2016/679" of the Article 29 Working Party may be of use. This annex provides a detailed description of the aspects that an impact assessment should address in order to be acceptable.

To make the task easier for analysts, different templates are proposed that structure impact assessments and comply with the minimum contents mentioned above. These templates include the one proposed by the Authority, which has a manual, a template to complete and even an application that provides further help.

Do impact assessments need to be submitted to the APDCAT?

In general, impact assessments do not need to be submitted to the Authority. The data controller must store the assessment in case it is requested by the Authority.

However, in the context of a prior consultation, it is necessary to submit it to the Authority. In other words, when the impact assessment has detected a significant risk that could not be adequately mitigated and the Authority is consulted on the appropriateness of the processing, before initiating it.