LexGo

GDPR: CNPD Releases Black List of Processing Operations Subject to a Data Protection Impact Assessment (DPIA)
25/03/2019

Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a list of the types of processing operations which are likely to result in a high risk for the rights and freedoms of data subjects and, hence, require a data protection impact assessment (hereinafter “DPIA”). This list is in addition to the "high risk" situations foreseen by Article 35(3) GDPR.

According to Article 35 GDPR, the carrying out of a data protection impact assessment (DPIA) is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”, especially when a new data processing technology is introduced and/or taking into account the nature, scope, context and purposes of the processing. If the high risk of the processing is confirmed, the data controller must consult with the supervisory authority. 

Article 35(3) GDPR provides examples of when a processing operation is “likely to result in high risk”, namely when there is:

  • “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  • a systematic monitoring of a publicly accessible area on a large scale”. 

Article 35(4) GDPR further states that the supervisory authorities of the EU Member States must publish a list of processing operations for which a DPIA is required. On 11 March 2019, the Luxembourg supervisory authority, the CNPD, released its "black list", after having amended its initial version following comments made on 4 December 2018 by the European Data Protection board (EDPB), a body composed of representatives from all EU supervisory authorities. 

The following processing activities appear on the black list:

  1. The processing of genetic data if one criterion of the EDPB's 2017 DPIA guidelines is met (unless the processing is carried out by a healthcare professional in the context of healthcare services).
  2. The processing of biometric data for identification purposes if one criterion of the EDPB's 2017 DPIA guidelines is met. 
  3. The combination, correspondence or comparison of data collected for different purposes if this has a legal effect or a significant impact on the data subject. This type of processing calls to mind the former Luxembourg Data Protection Act 2002 (Loi modifiée du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel), which was repealed upon the entry into force of the GDPR and provided for an obligation to request prior authorisation for the interconnection of data sets. 
  4. A regular and systematic control of employee activities if this has a legal effect or a similar significant impact on the data subject. The possibility that employee monitoring could require a DPIA was underscored in the Luxembourg GDPR Act 2018 (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en œuvre du RGPD), which implements and complements the GDPR. 
  5. The processing of files likely to contain data of the population as whole, unless a more general impact assessment has already been carried out in the context of a legislative measure on the basis of which the processing takes place. 
  6. Processing for scientific or historical research or for statistical purposes within the meaning of Articles 63 to 65 of the GDPR Act 2018. Article 65 of the GDPR Act 2018 stipulates that data controllers must for such processing activities implement several measures including the appointment of a DPO, the carrying out of a DPIA, etc., it being understood that this provision allows the controller to document, justify and request an exemption from the obligation to implement one or more of these measures. Now that the CNPD has included this type of processing on its black list, it appears that it will no longer be possible for controllers to request an exemption from their obligation to perform a DPIA. 
  7. Systematic geolocalisation. 
  8. The processing of indirectly collected data if one further criterion of the EDPB DPIA guidelines is met. In its initial proposal, the CNPD suggested that a DPIA would be required if the processing is based on indirectly collected data but only "when it is not possible /feasible to guarantee the right of information". This last requirement has not been maintained in the final version.

It should be noted that the EDPB's 2017 DPIA guidelines also contain a list of "high risk" criteria, it being understood that according to these guidelines a DPIA is required if the processing meets two of these criteria. The guidelines are not legally binding, but have high authoritative value as soft law as well as EU-wide reach. Furthermore, with the adoption of the CNPD black list, the guidelines carry even more weight as some black-listed processing activities require that one of the EDPB's 2017 DPIA criteria be met. 

In any event, now that the CNPD has issued its black list and the EDPB's 2017 DPIA guidelines have more authority, Luxembourg-based data controllers have slightly more certainty regarding the situations in which a DPIA is required.

Zie ook : Nautadutilh Avocats Luxembourg Sàrl ( Mr. Vincent Wellens ,  Ms. Carmen Schellekens ,  Ms. Anne-Sophie Morvan ,  Ms. Faustine Cachera )

[+ http://www.nautadutilh.com]

Mr. Vincent Wellens Mr. Vincent Wellens
Partner
Vincent.Wellens@nautadutilh.com
Ms. Carmen Schellekens Ms. Carmen Schellekens
Senior Associate
carmen.schellekens@nautadutilh.com
Ms. Anne-Sophie Morvan Ms. Anne-Sophie Morvan
Senior Associate
annesophie.morvan@nautadutilh.com
Ms. Faustine Cachera Ms. Faustine Cachera
Associate
faustine.cachera@nautadutilh.com

Click here to see the ad(s)

Laatste artikels van Mr. Vincent Wellens

Finally some practical EDPB guidance on how to make international data transfers lawful
13/11/2020

After a long, four-month wait, we finally have recommendations from the European Data Protection Board (EDPB) on “su...

Read more

The Court of Justice of the EU clarifies the assessment of position marks for services
15/10/2020

The Court of Justice of the EU recently clarified the criteria to take into account when assessing the distinctive charact...

Read more

New controller-processor guidelines: beware of impact on data processing agreements
14/09/2020

Armed with useful flowcharts to help organisations determine their role, the European Data Protection Board (EDPB) has pub...

Read more

Benelux Regulators to Apply EIOPA Guidelines on Outsourcing to Cloud Service Providers by Insuran...
14/08/2020

On 24 April 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued new guidelines on outsourcing ...

Read more

Laatste artikels van Ms. Carmen Schellekens

Brexit and broadcasting: Luxembourg as the ideal gateway to provide audiovisual media services th...
23/01/2019

Since the UK Parliament has rejected the Withdrawal Agreement between the EU and the UK on 15 January 2019, a so-called &q...

Read more

Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processin...
12/10/2016

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regi...

Read more

The new EU Trade Secrets Directive unlocks an unknown yet powerful protection regime for innovati...
17/06/2016

Following approval by the European Parliament on 14 April 2016, the proposal for a directive on the protection of undisclo...

Read more

Laatste artikels van Ms. Anne-Sophie Morvan

Happy World Privacy Day 2019!
04/02/2019

The CNPD (Commission Nationale pour la Protection des données, or “CNPD”) has, until now, adopted a coo...

Read more

CSSF Circular 18/698: impact on IT organisation and (cloud based) outsourcing for investment fu...
03/12/2018

IT is key. This is not the slogan of an IT service provider but one of the lessons to be drawn from the CSSF Circular 18/6...

Read more

No, Employee Hard Drive Labelled "Personal Data" Is Not Private
15/03/2018

For various reasons, employers may wish or need to check files on an employee's desktop or laptop. From a legal point ...

Read more

Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processin...
12/10/2016

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regi...

Read more

Laatste artikels van Ms. Faustine Cachera

Monitoring at the workplace: a new legal framework in Luxembourg
15/10/2018

If the General Data Protection Regulation (GDPR) harmonizes the data protection rules across Europe, it also leaves room f...

Read more

LexGO Network