Belgian DPA Seeks Public Comments on DPIA Draft Recommendation

As the Belgian DPA (Commission de la protection de la vie privée) highlighted in a recent publication, data protection impact assessment (DPIA) obligations under the upcoming General Data Protection Regulation (GDPR) – particularly as it relates to how companies will be required to conduct them – are still quite nebulous.

To guide companies with implementation, and to answer the many practical questions raised by this new obligation, the Belgian DPA issued a draft recommendation on the subject and launched a public consultation to obtain input and suggestions from stakeholders (controllers, processors, and other concerned persons) before releasing the final recommendation.

Comments can be filed with the Commission until 28 February 2017. The Article 29 Working Party and ENISA (European Union Agency for Network and Information Security) are also expected to release additional guidance on this point in the near future.

The draft recommendation provides some insight about the legal context that gave rise to this new DPIA obligation, namely the accountability principle and the risk-based approach, both included in the GDPR.

Under the Directive 1995/46/EC, controllers had a general obligation to notify their local data protection authority of any processing, which created severe administrative and financial burden without improving data protection rights for individuals.

DPIAs were introduced to resolve this issue, and are now relied upon to assess risks to the rights and freedoms of natural persons which may occur through processing of personal data, as well as consider and determine how such risks can be avoided.

The key takeaways from the Belgian recommendation are the following:

  1. The essential elements of a DPIA
  2. The circumstances under which DPIAs are required
  3. The circumstances under which a prior consultation with the competent supervisory authority is required, and
  4. The stakeholders who should be involved in the DPIA
  5. The two lists that will help to determine whether a DPIA is necessary

Under the GDPR, each supervisory authority is tasked with establishing a public a list of the kind of processing operations that are subject to the requirement for a DPIA[1].

The Belgian draft recommendation sets forth such a list, which includes twelve specific situations, most notably: processing activity that uses biometrics or genetic data to identify individuals, and processing activity that establishes large-scale profiling on individuals.

Additionally, each supervisory authority may establish and make public a list of the kind of processing operations for which no DPIA is required[2].

The Belgian draft recommendation presents this list, as well, which includes seven specific situations, most notably: processing activity that concerns the accounting of the controller (where data is exclusively used for this purpose), and processing activity that concerns data that’s critical for processing, data that’s kept for longer than needed, and data that’s shared with third parties, but only where necessary.

The recommendation emphasizes, however, that the lists are non-exhaustive, and should be used as starting points for controllers when assessing the necessity to conduct a DPIA.

It also stresses that the lists do not, in any way, impact the obligation for controllers to implement appropriate technical and organizational measures to ensure and to demonstrate that the processing is performed in accordance with the GDPR, considering the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons[3].

Furthermore, the recommendation indicates that it clearly results from Article 36 (1) that a prior consultation with the supervisory authority is only needed where the residual risk is high; only where the considered processing would present a high risk if the controller did not take any efficient measures to mitigate the risks.

The full draft recommendation can be accessed in French and in Dutch.

[1] Article 35(4) of the GDPR
[2] Article 35(5) of the GDPR
[3] Article 24(1) of the GDPR