The List of data processing operations for which an Assessment of Data Protection Impact becomes mandatory has been approved

State Data Protection Inspectorate has approved the list of data processing operations subject to the requirement to perform a Data Protection Impact Assessment.

Data Protection Impact Assessment is a novelty of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter General Data Protection Regulation).

Data Protection Impact Assessment as referred to in paragraph 35 of the General Data Protection Regulation is a certain process which has to be carried out in cases where a type of processing, in particular when using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons.

The processing operation is described, the risk to the rights and freedoms of natural persons is identified, as well as, the type of measures for such risk elimination, while Data Protection Impact Assessment is carried out.

Furthermore, the assessment of data protection impact is carried out by assessing the impact of data protection for technological product, i.e. the use of hardware or software for the process of personal data. According to the list of Data Protection Impact Assessment made by State Data Protection Inspectorate, the assessment process must be carried out in the following cases:

The list of data processing operations subject to the requirement to perform Data Protection Impact Assessment

1. Personal data processing is conducted for scientific or historical research purposes in at least one of the following cases:
1.1.    when special categories of personal data are being processed without the data subject`s consent or personal data processing is conducted matching or combining datasets;
1.2.    when data of under-age persons are processed;
1.3.    when the personal identification number is processed.

2. Large scale personal data processing, when personal data has been received not from the data subject and the provision of information proves impossible or would involve a disproportionate effort or such provision of information is likely to render impossible or seriously impair the achievement of the objectives of that processing.

3. Personal data processing when notification of data recipients, to whom personal data were disclosed, on personal data rectification, erasure or restriction of processing of personal data proves impossible or
would involve a disproportionate effort.

4. Processing of biometric data for the purpose of uniquely identifying a natural person when processing is done for the monitoring or control purposes or processing of personal data of vulnerable data subjects.

5. Processing of genetic data while evaluating the data subject`s features or scoring, including profiling and forecasting.

6. Processing of personal video data when video surveillance is conducted in at least one of the following cases:
6.1. in premises and/or territories which are not owned by the controller or managed on other legal grounds, when video surveillance is conducted in accordance with principles relating to the processing of personal data provided in Article 5 of the Regulation 2016/679;
6.2. at healthcare, social care, detention establishments and other agencies where services are provided for vulnerable data subjects;
6.3. combined with sound recording.

7. Recording of telephone conversations.

8. Personal data processing using innovative technologies or using existing technologies in a new way when personal data of vulnerable data subjects are processed.

9. Processing of personal data of children for direct marketing purposes, assessment of personal aspects of children which is based on automated processing, including profiling, or when information society services are offered to children directly.

10. Processing of personal data of employees for monitoring or control purposes: processing of personal video and/or sound data in a workplace and/or data controller`s premises or territories where its employees work; processing of personal data related to monitoring of employees, communication, behavior, place or movement.

In conclusion, if the persons are engaged in activities mentioned above, they must take actions in order to properly and in a timely matter perform specified processing activities of Data Protection Impact Assessment.

Data Protection Impact Assessment is a significant measure of accountability because it helps controllers to prove that the aim is to ensure the compliance with the General Data Protection Regulation.

The list published by the State Data Protection Inspectorate is non-exhaustive. Therefore, evaluating whether Data Protection Impact Assessment is required for the carried out data operations, the assessment must be in accordance with the general criteria specified in paragraph 35 of the General Data Protection Regulation.

The list of all data processing activities operations for which the requirement of Data Protection Impact Assessment is applicable can be found at https://www.etar.lt/portal/lt/legalAct/abb01940465511e9a221b04854b985af.

Newsletter SubscriptionGet in touch