The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) on Data Protection Impact Assessment (“DPIA”) and the prior consultation requirements under Articles 35 and 36 of the EU General Data Protection Regulation (“GDPR”) (the “Recommendation”). The Recommendation aims to provide guidance on the core elements and requirements of a DPIA, the different actors involved and specific provisions.
Key takeaways from the Recommendation are summarized below:
- Why proceed to a DPIA? The Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be understood in light of two central principles of the GDPR, namely the principle of accountability and the risk-based approach.
- When is a DPIA required? The Belgian DPA indicates that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The Belgian DPA refers to the Guidelines of the Article 29 Working Party (“Working Party”) for such assessment and, in particular, to the nine criteria set out in the Guidelines to consider when determining whether the processing of personal data is likely to create a high risk for the rights and freedoms of individuals. According to the Belgian DPA, if two criteria of this list are detected, a DPIA must be conducted.
- When should a DPIA be conducted? The Belgian DPA stresses that the DPIA must be done before any processing of personal data, and is a tool available to help make decisions concerning the processing.
- What are the essential elements of a DPIA? A DPIA must contain the systematic description of the considered processing as well as the purposes of the processing, including at the minimum a clear description of the processing, personal data involved, categories of recipients and retention period of the data, and finally the material (e.g., software, network, papers, etc.) on which the data are saved. The DPIA must also include an evaluation of the necessity and proportionality of the processing activities with regards to the purposes of the processing, taking into account several criteria. Additionally, the DPIA must include a risk assessment of the whole process of the identification, including the analysis and evaluation of those risks. To conduct such an assessment, companies can chose the method as long as it leads to an objective evaluation of the risks. However, the Belgian DPA recommends favoring existing risk management methods. Finally, the DPIA must include the measures anticipated to address those risks, such as the safeguards, security measures and tools implemented to ensure the protection of the data and compliance with the GDPR.
- Prior consultation of the Supervisory Authorities (“SAs”). The Belgian DPA states that the GDPR requires a prior consultation of the SAs only when the residual risk is high. If the risks can be mitigated, then a prior consultation is not mandatory.
The Belgian DPA also makes additional recommendations, including inter alia:
- Similar or joint processing activities. A single DPIA could be used to assess multiple processing operations that are similar in terms of nature, scope, context, purpose and risks.
- Monitoring and review. The controller should, if necessary, conduct a periodic review of the processing activity to assess whether the processing is consistent with the DPIA that was performed. Such a review must at least take place where there is a modification of the risk resulting from the processing operations.
- Preexistent processing. For processing activities prior to May 25, 2018, conducting a DPIA is only required if the risk(s) change after May 25, 2018 (e.g., a new technology is used or personal data are used for another purpose). However, the Belgian DPA recommends, as a best practice, to also conduct DPIAs for existing processing activities if they are likely to result in a high risk to the rights and freedoms of individuals.
Finally, the Recommendation includes annexes:
- Annex 1: The Belgian DPA recommends some minimal characteristics for appropriate risk management.
- Annex 2: The Belgian DPA provides a draft list of processing activities requiring a DPIA. The list includes, inter alia, processing of biometric data for the purpose of identifying individuals in a public area, collecting personal data from third parties for the purpose of making decisions (including to refuse or terminate) regarding a contract to which an individual is party, large-scale processing of personal data from vulnerable individuals (e.g., children), or large-scale processing of personal data where individuals’ behavior is observed, collected, established or influenced in a systematic manner and using automated means, including for advertising purposes.
- Annex 3: The Belgian DPA provides a draft list of processing activities that are exempt from a DPIA, including, inter alia, processing activities by private entities which are necessary to meet their legal obligations, subject to conditions, the processing of personal data for payroll purposes and HR management, and the processing of personal data for client and vendor management purposes, subject to certain conditions.