On August 15, 2018, the federal committee of the German supervisory authorities, also known as the Data Protection Conference (Datenschutzkonferenz,“DSK”), published on its website a joint list of processing operations (“Blacklist”) that are subject to the requirement for a Data Protection Impact Assessment (“DPIA”) pursuant to Article 35(1) of the General Data Protection Regulation (“GDPR”). The Blacklist applies uniformly in all German Federal States and replaces the blacklists previously published by some data protection agencies on the state level. An English convenient translation of the July-version of the Blacklist is published here.
Article 35(1) of the GDPR commits companies to conduct a DPIA where a type of processing uses new technologies, and given the nature, scope, context, and purposes of the processing, is likely to result in a “high risk” to the rights and freedoms of natural persons. To assist companies in assessing whether a DPIA is required for an envisaged processing operation, Article 35(4) and (5) call upon the national supervisory authorities to establish and make public blacklists and/or whitelists of processing activities which do (blacklist) or, respectively, do not (whitelist), require a DPIA.
Whilst some member states, such as Belgium and Poland, have already published drafts of blacklists and whitelists, Germany seems to be among the first member states to publish a binding blacklist (the blacklist of the Information Commissioner’s Office is published here).
The Blacklist lists in total 16 processing operations which mandatorily require a DPIA. For each processing activity, the Blacklist further indicates the typical fields of application and provides concrete examples. Among others, the following activities require a DPIA:
-
Extensive processing of data subject to social, professional, or special official secrecy – A company that offers a comprehensive directory of private insolvencies therefore must conduct a DPIA, such as a large law firm specializing in family law matters.
-
Processing of tracking and/or location data of customers or employees – This includes, for example, a car sharing company that processes extensive position and accounting data; a company that collects personal data that vehicles generate about their environment, e.g., to allocate free parking spaces; companies equipping its vehicles or other belongings with GPS-trackers to protect valuable property; or companies that track offline customer movements in shopping centers.
-
Aggregation of data from various sources and further processing of the aggregated data – e.g., for the purpose of a fraud prevention system or for scoring, or to determine the default risk of repayments by individuals. Also central recording of activities at the workplace with the aim of detecting undesirable behavior (e.g. forwarding internal documents) will typically trigger a DPIA.
-
Anonymization of sensitive personal data (e.g., health data), for example, by an insurance company, who wants to use the anonymized data for its own purposes or share it with a third party.
-
The processing of data from fitness wristbands to improve training, as well as the use of an app by a physician to communicate with patients via video telephony, thereby collecting and processing health data from patients using sensors (e.g., blood sugar, oxygen mask, etc.).
The Blacklist, and in particular the examples provided therein, are a helpful tool for companies to assess whether their processing activities may fall within the scope of Article 35(1) of the GDPR. Companies should be aware, however, that the Blacklist is not exclusive. The fact that an activity is not included in the Blacklist does not mean that an activity is automatically exempted from a DPIA. Unlike Austria, who published a binding whitelist of exempted activities in May 2018, the DSK refrained from publishing a binding whitelist for now.
For further reference, also see the WP29 Working Party’s “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679”.
