In order to determine which processing operations are likely to result in high risk and for which PPE is mandatory, the controller must consider at least one of the following criteria:
- Evaluation or scoring, including profiling and prediction, in particular based on aspects related to the personal data subject’s performance, economic situation, health, personal preferences or interests, security or behavior, location or movements. An example of this criterion is a financial institution that checks its customers in reference databases for creditworthiness, in databases for combating money laundering and terrorist financing or in fraud databases; a biotechnology company that offers genetic testing to its customers to assess and predict disease or health risks; or a company that creates a behavioral or marketing profile based on the use or views of its website.
- Automatic decision-making with a legal or similar essential effect, that is, processing aimed at making decisions about the subjects of personal data that produce legal consequences for the natural person or similarly significantly affect the natural person. For example, processing may result in the exclusion or discrimination of individuals. Processing that has little or no impact on individuals does not meet this criterion.
- Systematic monitoring, i.e. processing used to monitor, observe or control the subjects of personal data, including data collected through networks or “systematic monitoring of publicly accessible spaces”. This type of observation is one of the criteria because personal data can be collected in situations where the subjects of personal data are not aware of who is collecting their data and for what purposes it will be used. In addition, individuals may not be able to avoid such processing in public (or publicly accessible) areas.
- Sensitive data or data of a distinctly personal nature: this includes special categories of personal data that are defined in Article 4 paragraph (1) point 13 of the Law on the Protection of Personal Data , as well as personal data related to criminal convictions and criminal acts. For example, a general hospital that keeps medical records of patients or a private detective that keeps details of perpetrators.
Certain categories of data may be considered to increase the potential risk to the rights and freedoms of natural persons. This personal data is considered sensitive because it relates to domestic and private activities (for example, electronic communication whose confidentiality needs to be protected) or because it affects the exercise of a fundamental right (for example, location data, with the collection of which calls into question the freedom of movement) or because their violation seriously affects the daily life of the subjects of personal data (such as, for example, financial data that can be used for fraud in payment transactions). In this sense, it may be important whether this data has already been made publicly available by the data subject or a third party. The fact that personal data is publicly available can be considered as a factor in the assessment if it was expected to continue using that data for specific purposes. This criteria can also include data such as personal documents, e-mails, diaries, notes from e-readers on which they can enter notes and very personal information contained in applications for conducting daily activities.
- Extensive data processing. When determining whether the processing is extensive according to the circumstances of each specific case, the following factors are taken into account:
- number of affected personal data subjects, be it a specific number or a percentage of the relevant population;
- volume of data and/or coverage of different types of data being processed;
- duration or continuity of personal data processing operations;
- the geographical scope of the personal data processing activities.
- A set of personal data that coincide or combine , for example those originating from two or more personal data processing operations carried out for different purposes and/or by different controllers in a way that exceeds the reasonable expectations of the subject of personal data.
- Data relating to vulnerable subjects of personal data: the processing of this type of data is a criterion due to the increasing imbalance of power between the subjects of personal data and the controllers, whereby natural persons cannot simply consent or object to the processing of their data or exercise their rights. Vulnerable subjects of personal data are children (sis considered that they cannot knowingly and intentionally consent to or oppose the processing of their personal data), employees, more vulnerable groups that need special protection (people with mental disabilities, asylum seekers or elderly people, patients, etc.), as well as other cases when there is an imbalance in the position of the subject of personal data and the controller.
- Innovative use or application of new technological or organizational solutions , such as combining the use of fingerprint and face recognition to improve physical access control, etc. The use of new technology, defined in accordance with the reached level of technological know-how, may lead to the need to implement a PVZLP. This is because the use of such technology may involve innovative forms of data collection and use with a possible high risk to the rights and freedoms of individuals. The personal and social consequences of the application of the new technology are still unknown. The EIA helps the controller in understanding and managing such risks. For example, certain Internet of Things (IoT) applications can significantly affect the daily life and privacy of individuals; therefore, the PVZLP should be implemented.
- Situations where the processing may prevent the subjects of personal data from exercising certain rights or using a service or contract . This includes processing procedures that should enable, modify or deny the access of personal data subjects to a particular service or conclusion of a contract. For example, the bank checks customers in the database for creditworthiness, when deciding on a loan.
Examples of how the criteria should be used to assess whether a specific processing operation should be subject to a PPE:
| Processing examples | Possible relevant criteria | Is it necessary to implement a PVZLP? |
|---|---|---|
| A hospital that processes genetic and health data of its patients (hospital information system). |
|
Yes |
| Use of a video surveillance system to monitor the behavior of drivers on highways. The controller intends to use an intelligent video analysis system to distinguish cars and automatically recognize license plates. |
|
Yes |
| A company that systematically monitors the activities of its employees, including monitoring employee workstations, internet activities, etc. |
|
Yes |
| Collection of personal data from public social media for creating profiles |
|
Yes |
| Collection and storage of pseudo-anonymized sensitive personal data for archival purposes relating to vulnerable personal data subjects for research projects or clinical trials. |
|
Yes |
| Processing of personal data of patients or clients of family doctors, other health professionals or a lawyer |
|
No |
| An online magazine that uses a mailing list to send daily news to its subscribers. |
|
No |
| An e-commerce website that displays advertisements for vintage car parts, which includes partial profiling based on views or orders from their website. |
|
No |
You can download the list of types of processing operations for which a personal data protection impact assessment is required at the following link.
