GDPR: CNPD Releases Black List of Processing Operations Subject to a Data Protection Impact Assessment (DPIA)

Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a list of the types of processing operations which are likely to result in a high risk for the rights and freedoms of data subjects and, hence, require a data protection impact assessment (hereinafter “DPIA”). This list is in addition to the "high risk" situations foreseen by Article 35(3) GDPR.

According to Article 35 GDPR, the carrying out of a data protection impact assessment (DPIA) is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”, especially when a new data processing technology is introduced and/or taking into account the nature, scope, context and purposes of the processing. If the high risk of the processing is confirmed, the data controller must consult with the supervisory authority. 

Article 35(3) GDPR provides examples of when a processing operation is “likely to result in high risk”, namely when there is:

• “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
• a systematic monitoring of a publicly accessible area on a large scale”. 

Article 35(4) GDPR further states that the supervisory authorities of the EU Member States must publish a list of processing operations for which a DPIA is required. On 11 March 2019, the Luxembourg supervisory authority, the CNPD, released its "black list", after having amended its initial version following comments made on 4 December 2018 by the European Data Protection board (EDPB), a body composed of representatives from all EU supervisory authorities. 

The following processing activities appear on the black list:

1. The processing of genetic data if one criterion of the EDPB's 2017 DPIA guidelines is met (unless the processing is carried out by a healthcare professional in the context of healthcare services).
2. The processing of biometric data for identification purposes if one criterion of the EDPB's 2017 DPIA guidelines is met. 
3. The combination, correspondence or comparison of data collected for different purposes if this has a legal effect or a significant impact on the data subject. This type of processing calls to mind the former Luxembourg Data Protection Act 2002 (Loi modifiée du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel), which was repealed upon the entry into force of the GDPR and provided for an obligation to request prior authorisation for the interconnection of data sets. 
4. A regular and systematic control of employee activities if this has a legal effect or a similar significant impact on the data subject. The possibility that employee monitoring could require a DPIA was underscored in the Luxembourg GDPR Act 2018 (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en œuvre du RGPD), which implements and complements the GDPR. 
5. The processing of files likely to contain data of the population as whole, unless a more general impact assessment has already been carried out in the context of a legislative measure on the basis of which the processing takes place. 
6. Processing for scientific or historical research or for statistical purposes within the meaning of Articles 63 to 65 of the GDPR Act 2018. Article 65 of the GDPR Act 2018 stipulates that data controllers must for such processing activities implement several measures including the appointment of a DPO, the carrying out of a DPIA, etc., it being understood that this provision allows the controller to document, justify and request an exemption from the obligation to implement one or more of these measures. Now that the CNPD has included this type of processing on its black list, it appears that it will no longer be possible for controllers to request an exemption from their obligation to perform a DPIA. 
7. Systematic geolocalisation. 
8. The processing of indirectly collected data if one further criterion of the EDPB DPIA guidelines is met. In its initial proposal, the CNPD suggested that a DPIA would be required if the processing is based on indirectly collected data but only "when it is not possible /feasible to guarantee the right of information". This last requirement has not been maintained in the final version.

It should be noted that the EDPB's 2017 DPIA guidelines also contain a list of "high risk" criteria, it being understood that according to these guidelines a DPIA is required if the processing meets two of these criteria. The guidelines are not legally binding, but have high authoritative value as soft law as well as EU-wide reach. Furthermore, with the adoption of the CNPD black list, the guidelines carry even more weight as some black-listed processing activities require that one of the EDPB's 2017 DPIA criteria be met. 

In any event, now that the CNPD has issued its black list and the EDPB's 2017 DPIA guidelines have more authority, Luxembourg-based data controllers have slightly more certainty regarding the situations in which a DPIA is required.