Update Data Protection No. 40
German supervisory authorities publish a "must list" for data protection impact assessment
Article 35 GDPR requires companies to carry out a so-called data protection impact assessment if based on the nature, scope, context and purposes of the processing, the processing is likely to result in a high risk to the rights and freedoms of natural persons, Art. 35 (1) Sentence 1 GDPR. The company must then document the processing procedure, identify the risks to the rights and freedoms of the natural persons, and explain what remedial measures the company is taking. If remedial measures are not possible, the company must consult the supervisory authorities before commencing the processing. In the opinion of the supervisory authorities, a high risk is given if there is a high probability of damage occurring, and the damage can assume serious dimensions.
As the preconditions for a data protection impact assessment are very indeterminate, Art. 35 (4) GDPR states that the supervisory authorities can draw up a list of the kinds of processing in which companies must always carry out a data protection impact assessment. In the early summer of 2018, the 17 German supervisory authorities caused a certain stir by publishing a total of 14 different "must lists", with the result that companies had to research very precisely what is applicable to them.
The supervisory authorities have now rectified this difficult situation through the publication of a uniform list by the Data Protection Conference on July 25, 2018.
The list covers 16 different cases in which a data protection impact assessment must always be carried out. The list comprises general descriptions of the respective processing, typical cases of application, and examples of the corresponding "must cases". These include the processing of large volumes of data covered by professional or other secrets, geo-localization data, scoring systems, specific surveillance systems in the employee environment, social networks and dating platforms, cases of big-data application, in specific cases the use of artificial intelligence, the tracking of persons in the offline area, the use of RFID and NFC technologies in specific cases, in part also customer loyalty systems, telemedicine or specific areas of application of fitness trackers.
The broad spectrum of cases of compulsory application for a data protection impact assessment, means that companies must urgently concern themselves with the question of whether their processing of personal data corresponds to one of the "must cases". If this is the case and no data protection impact assessment is carried out, there is a risk of a fine of up to 10 million EUR, or up to 2% of annual global sales.
However, needing to carry out a data protection impact assessment also has a further consequence: even if the company was not previously obliged to appoint a Data Protection Officer pursuant to Art. 37 GDPR, Section 38 (1) Sentence 1 BDSG (German Federal Data Protection Act) – for example because it has less than ten employees – Section 38 (1) Sentence 2 BDSG creates an obligation to appoint a Data Protection Supervisor, regardless if a data protection impact assessment must be carried out pursuant to Art. 35 GDPR. Consequently, the "must list" now published by the Data Protection Conference, is a further indicator of when a Data Protection Supervisor must be appointed.