The GDPR entered into force on May 25, 2018. One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy. DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make. Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high risk” processing activities and the safeguards they have implemented to protect individuals’ privacy.
The GDPR grants DPAs certain flexibility to determine when companies under their jurisdiction must – or need not – conduct a DPIA. Article 35(4) permits DPAs to issue “blacklists”, i.e. lists of processing activities that always require a DPIA. At the same time, Article 35(5) GDPR permits DPAs to conduct “whitelists”, i.e. processing activities that can be conducted without a DPIA. The Article 29 Working Party (WP29) provided general guidance on when DPIAs should be conducted, and as we reported earlier, the Belgian DPA issued its own proposal for black- and whitelists which largely followed the WP29 guidance.
On the day the GDPR entered into force, the DPA of Austria issued what appears to be the first binding whitelist approved by the DPA of an EU Member State. The Austrian DPA lists 22 processing activities that do not require a DPIA. Among the more salient are:
Customer and supplier management, accounting, logistics, and bookkeeping, defined as processing “in the context of business relationships with customers and suppliers”, including “systematically recording all matters relating to revenue and expenses.”
HR administration, defined as processing or retaining personal data for purposes of payroll administration, complying with recordkeeping or reporting requirements, as long as doing so is required under “statutes, collectively negotiated norms, or obligations of employment agreements.” These types of processing can involve sensitive data or criminal history data, and the Austrian DPA indicates that processing these types of data is still permitted without a DPIA if permitted by a “statutory permission” or a “legal obligation.”
CMR and Marketing for Own Business Purposes, defined as “processing a company’s own data” or “purchased data” relating to customers or prospects “to initiate a business a relationship,” “to execute marketing measures,” or for sending newsletters.
Building access controls, defined as monitoring access rights to buildings and/or restricted areas via automated systems, but not including systems that process biometric data.
IT user access rights management, defined as managing user names and passwords and keeping access logs.
CCTV monitoring in limited circumstances. The Austrian DPA provides building owners and homeowners with strictly limited rights to deploy CCTV cameras without conducting a DPIA.
Event Planning, defined as processing for the purposes of inviting and registering attendees, communicating with attendees, organizing travel and stays, managing event-related expenses, and creating event recordings, videos, and photos.
The Austrian DPA’s whitelist includes additional DPIA exemptions for processing by sole-practitioner professionals (such as doctors, pharmacists, and attorneys); inventory management; scientific research and statistics on the basis of specific statutory provisions; and video and audio recording done for “documentary purposes.”
The Austrian DPA’s whitelist provides a helpful guide as to how one Member State DPA views processing activities that should be considered not as “high risk.” As can be seen above, the Austrian DPA treats a number of standard business support and back-end activities as low-risk activities. This may assist companies in prioritizing which activities require immediate DPIA attention, and may help other Member State DPAs level-set as to activities they also wish to whitelist.
The Austrian DPA’s whitelist guidance can be downloaded (in German) here.