The European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States regarding which processing operations are subject to the requirement of conducting a data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (“GDPR”).
National DPIA Lists
Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. The following EU Members States have submitted their lists: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.
In some cases, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. In other cases, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The purpose of the EDPB opinions is to ensure the consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among EU Member States with respect to this requirement. The national lists will not be identical because, in establishing DPIA lists, the SAs must take into account their national or regional context and national legislation.
The EDPB has emphasized that the national DPIA lists are aimed to improve transparency for data controllers, but they are not exhaustive. Importantly, the EDPB requests national SAs to include in their DPIA lists a clear reference to the high risk criteria for conducting DPIAs as established by the Article Working Party 29 in its guidance. The draft lists should aim to rely on and complement these guidelines.
After receiving the EDPB’s opinions, the SAs have two weeks to (1) communicate to the EDPB whether they intend to amend their draft list or maintain it in its current form and (2) provide an explanation for such decision.
View the 22 Opinions of the EDPB on national DPIA lists.