The Belgian Data Protection Authority (the “Belgian DPA”) recently published the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).
The draft list was published in April 2018. In October, the EDPB adopted an Opinion on the draft DPIA lists established by the SAs, including the Belgian DPA. Following the EDPB’s Opinion, the Belgian DPA modified its list. The Belgian DPA asserts that this list is neither exhaustive nor final and could be modified in the future.
According to the Belgian DPA, the following data processing activities require companies to conduct a DPIA:
- Processing of biometric data for the purpose of uniquely identifying individuals in a public area or private area that is publicly accessible;
- Collecting personal data from third parties in order weigh that information in making a decision to refuse or end a contract with an individual;
- Collecting health-related data by automated means through an active implantable medical device;
- Processing of personal data collected on a large scale by third parties to analyze or predict the economic situation, health, preferences or personal interests, reliability or behavior, localization or movements of natural persons;
- Systematic sharing between several data controllers of special categories of personal data (“sensitive personal data”) or data of a very personal nature (such as data related to poverty, unemployment, youth support or social work, data related to domestic and private activities and location data) between different data controllers;
- Large-scale processing of data generated by devices with sensors that send data over the Internet or any another means (i.e., Internet of Things applications such as smart TV, smart household appliances, connected toys, smart cities, smart energy systems) for the purpose of analyzing or predicting individuals’ economic situation, health, preferences or personal interests, reliability or behavior, localization or movements;
- Large-scale and/or systematic processing of telephony data, Internet data or other communication data, metadata or localization data of individuals, or that can lead to specific individuals (e.g., Wi-Fi tracking or processing of individuals’ localization data in public transports), when such processing is not strictly necessary for the service requested by the individuals; and
- Large-scale processing of personal data where individuals’ behavior is observed, collected, established or influenced in a systematic manner and using automated means, including for advertising purposes.