Article 35.4 GDPR provides that each supervisory authority has to draw up and make public a list of the kind of data processing operations for which data controllers have to draw up a data protection impact assessment (or “privacy impact assessment”) (“DPIA”) prior to starting the data processing operation.
The official final list of the Belgian Data Protection Authority has been published in the Belgian Official Journal on 22 March 2019 and has entered into force on 1 April 2019.
Data processing operations
The Belgian Data Protection Authority found that a DPIA has to be drawn up for the following types of data processing operations:
- when the processing uses biometric data for the unique identification of data subjects who are in a public space or in private spaces that are accessible to the public;
- when personal data is collected from third parties in order to thereafter be taken into account in the decision to refuse or terminate a specific service agreement with a natural person;
- when health data of a data subject is collected in an automated manner using an active implantable medical facility;
- when personal data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of natural persons;
- when special categories of personal data within the meaning of Article 9 GDPR or data of a very personal nature (such as data on poverty, unemployment, involvement of youth care or social work, data on household and private activities, location data) are systematically processed exchanged between several data controllers;
- when there is large-scale processing of data generated by devices with sensors that send data via the internet or another medium (‘internet of things’ applications, such as smart televisions, smart household appliances, connected toys, smart cities, smart energy meters, etc.), and this processing serves to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of natural persons;
- when there is large-scale and/or systematic processing of telephony, internet or other communication data, metadata or location data from or traceable to natural persons (for example Wi-Fi tracking or processing of location data of travellers in public transport) when the processing is not strictly necessary for a service requested by the person concerned;
- when large-scale processing of personal data takes place where the behaviour of natural persons is observed, collected, recorded or influenced by automated processing, including for advertising purposes.
This list is not exhaustive. As soon as a processing falls within a situation described in Articles 35.1 or 35.3 GDPR, a DPIA has to be drawn up. It is not because a processing is not in this list that a DPIA does not have to be performed. But as soon as a processing is included in this list, a DPIA has to be drawn up anyway.
The Data Protection Authority will reassess and, if needed, update this list every six months.
The official list can be downloaded here (French/Dutch only).