Slovak list of processing operations which are subject to the requirement for a data protection impact assessment

06.05.2019

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter “DPIA”).

Under Article 35/4 of the GDPR: “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.”

List of processing operations which are subject to the requirement for a data protection impact assessment within Slovak Republic (hereinafter “List”

  • further specifies Art. 35 (1) of General Data Protection Regulation;
  • has non-exhaustive nature and Art. 35 (1) of General Data Protection Regulation prevails in any case;
  • is based on the criteria developed in the WP29 Guidelines WP 2481 and EDPB opinion 21/20182;
  • its aim is therefore to create a harmonized approach with regard to processing that is cross border or that can affect the free flow of personal data or natural person across the European Union;
  • complements and further specifies the Guidelines WP 248;
  • identifies 13 processing operations.

List of processing operations which are always subject to the requirement for a data protection impact assessment are as follows:

1. Processing operations of biometric data for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248.

2. Processing operations of genetic data of a natural person in conjunction with at least one other criterion mentioned in Guidelines WP 248.

3. Processing of location data together with another criterion mentioned in Guidelines WP 248.

4. Processing operations conducted under Art. 14 of General Data Protection Regulation.

Where the information to be given to the data subject is subject to an exemption under Art. 14 (5) para (b), (c) and (d) of General Data Protection Regulation require data protection impact assessment to be carried out only in conjunction with at least one other criterion mentioned in Guidelines WP 248.

5. Scoring.

The purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject.

6. Credit rating.

The purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data in large scale or systematically.

7. Solvency rating.

The purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data in large scale or systematically.

8. Profiling. 

The purpose of data processing is profiling by way of evaluating personal data systematically, especially when it is based on the characteristics of the workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject.

9. Monitoring employee work on the ground of serious reasons based on the particular nature of the employer's activities (hereinafter ”employee monitoring processing”).

Due to its specific nature, employee monitoring processing, meeting the criterion of vulnerable data subject and criterion of systematic monitoring, as two criteria mentioned in Guidelines WP 248, requires data protection impact assessment to be carried out.

10. Personal data is processed for the purposes of scientific or historical research without the consent of the data subject in conjunction with at least one other criterion mentioned in Guidelines WP 248.

11. Personal data processing using new or innovative technologies in conjunction with at least one other criterion mentioned in Guidelines WP 248.

12. Systematic monitoring of public spaces by cameras (in particular cities, municipalities and providers of both urban and suburban public transport).

13. Monitoring of people in the provision of detective services.

Criteria according Guidelines WP 248 that can help to identify when processing operations are subject to the requirement for a data protection impact assessment:

  • automated-decision making with legal or similar effect, 
  • systematic monitoring, 
  • sensitive data or data of a highly personal nature, 
  • data processed on a large scale, 
  • matching or combining datasets, 
  • data concerning vulnerable data subjects, 
  • innovative use or applying new technological or organisational solutions, 
  • when the processing in itself prevent data subjects from exercising right or using a service or a contract. 

 

References:

  1. Guidelines WP 248 rev. 01 on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purpose of Regulation 2016/679 are available here: https://www.dataprotection.gov.sk/uoou/sites/default/files/guidelines_on_data_protection_impact_assessment_dpia_and_determining_whether_processing_is_likely_to_result_in_a_high_risk.pdf
  2. Opinion 21/2018 Slovakia SAs DPIA List) is available here: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-212018-slovakia-sas-dpia-list_en

 

Article provided by: Miroslav Chlipala, Stefan Pilar (Bukovinský & Chlipala, s.r.o.)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.