Additional Guidelines for EU General Data Protection Regulation Published


After the Article 29 Working Party had already published 3 guidelines and FAQs in December 2016 on the application of the new EU General Data Protection Regulation (effective May 2018), another guideline is being added now, Working Paper (WP) 248, which is open for comment until the end of May 2017. 

It deals with the Data Protection Impact Assessment according to Article 35 General Data Protection Regulation (GDPR).

According to German law up until now, the “prior checking” under Section 4d(5) and (6) sentence 1 Germany’s Federal Data Protection Act corresponds to the provision under which certain data processing must undergo a legal assessment under data protection law before being implemented. According to applicable law, the data protection officer must be involved. The prior check involves “special risks” for the rights and freedoms of the data subjects. Examples are the processing of special categories of personal data (Section 3(9) Federal Data Protection Act) or processing that is designed to evaluate personal aspects.

The Data Protection Impact Assessment pursuant to the GDPR similarly requires “high risk” for the rights and freedoms of natural persons and names as an example the systematic evaluation of personal aspects relating to natural persons (cf. Article 35(3)(a) GDPR) and as a further example the processing of special categories of personal data referred to in Article 9(1) or Article 10 GDPR (cf. Article 35(3)(b) GDPR). This corresponds largely to the scope of application of the present Federal Data Protection Act.

A new example is being added (Article 35(3)(c) GDPR), namely, the presumption of a “high risk” during “systematic monitoring of a publicly accessible area on a large scale.” The data protection officer is consulted as an advisor by the data controller.

In its newest Guideline, the Article 29 Data Protection Working Party establishes ten criteria, though partially reiterating the elements of Article 35  GDPR. High risk to the rights and freedoms of natural persons is supposed to exist when these criteria are met.

According to WP 248, the criteria for the “high risk” rating are:
  1. Evaluation or scoring of data subjects, including profiling, analysis or predicting, especially from aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements (recitals 71 and 91),

  2. Automated decision-making that produces legal effects concerning the natural person or which similarly significantly affects the natural person (Article 35(3)(a) GDPR),

  3. Systematic monitoring, including the systematic monitoring of a publicly accessible area (Article 35(3)(c) GDPR),

  4. Sensitive data including special categories of personal data as defined in Article 9 GDPR,

  5. Data processed on a large scale aiming to process a considerable volume of personal data at regional, national or supranational level and which could affect a large number of data subjects (recital 91),

  6. Datasets that have been matched or combined from data operations performed for different purposes and/or by different data controllers that would exceed the reasonable expectations of the data subject,

  7. Data concerning vulnerable data subjects, especially data of children (recital 75),

  8. Innovative use or applying technological or organizational solutions for which the data controller has not yet performed a Data Protection Impact Assessment, like combining use of fingerprint and face recognition for access control (recitals 89 and 91)

  9. Data transfer across borders outside the European Union (recital 116),

  10. Processing that prevents data subjects from exercising a right (Article 22 GDPR and recital 91).

The Guideline of the Article 29 Data Protection Working Party goes on to discuss examples and explains, more specifically than is described in Article 35(7) GDPR, the expected contents of a Data Protection Impact Assessment.

Recommended course of action for use in practice:

The newest Guideline of the Article 29 Data Protection Working Party, WP 248, is not binding and is open for comment at present. Following the comment period, it will apply in its final form as an interpretation and orientation aid.

The new Guideline of the Article 29 Data Protection Working Party can be downloaded here: Guidelines on Data Protection Impact Assessment

Subject fields