The GDPR has been in effect since May 25, 2018, but not all companies are “GDPR-proof” yet. An important (first) step is to map out the processes in which personal data is processed for the “register”. Which data, for what purpose, is the data minimised, have technical and organisational security measures been taken?
For some processing operations with potentially high privacy risk or on a large scale, these must first be strictly tested via a so-called “
- systematically and extensively evaluates personal aspects based on automated processing, including profiling, and bases decisions on this that have consequences for people;
- on a large scale processes special categories of personal data or processes criminal data;
- monitors people on a large scale and systematically in a publicly accessible area (for example, with camera surveillance)
.The Dutch Data Protection Authority (AP) has drawn up a (non-exhaustive) list of processing operations for which a DPIA must be carried out in advance: https://bit.ly/2ODel6V This is included below:
AP list of processing operations for which a DPIA is mandatory:
1. Covert investigation
Large-scale and/or systematic processing of personal data whereby information is collected through investigation without informing the data subject in advance.
For example, covert investigations by private investigation agencies, investigations in the context of fraud prevention and investigations on the internet in the context of, for example, online enforcement of copyright. Covert camera surveillance by employers in the context of theft or fraud prevention by employees (in the case of the latter processing, a DPIA must also be carried out in incidental cases).
2. Blacklists
Processing operations in which personal data concerning criminal convictions and criminal offences, data on unlawful or nuisance behaviour (Article 33, paragraph 4, introductory sentence and under c, UAVG) or data on poor payment behaviour by organisations or individuals are processed and shared with third parties.
For example, blacklists or warning lists, such as those used by insurers, catering companies, retail companies, telecom providers, as well as blacklists relating to unlawful behaviour by employees, for example in healthcare or by employment agencies).
3. Fraud prevention
Large-scale and/or systematic processing of (special) personal data in the context of fraud prevention. For example, fraud prevention by social services or by fraud departments of insurers.
4. Credit scores
Large-scale and/or systematic data processing operations that lead to or make use of estimates of the creditworthiness of natural persons, for example expressed in a credit score.
5. Financial situation
Large-scale and/or systematic processing of financial data from which the income or asset position or spending pattern of people can be derived. For example, overviews of bank transfers, overviews of the balances of someone’s bank accounts or overviews of mobile or pin payments.
6. Genetic personal data
Large-scale and/or systematic processing of genetic personal data. For example, DNA analyses for the purpose of mapping personal characteristics, bio-databases.
7. Health data
Large-scale processing of data on health (for example, by institutions or facilities for healthcare or social services, occupational health services, reintegration companies, (special) educational institutions, insurers, and research institutes), including large-scale electronic exchange of data on health.
Please note: individual doctors and individual healthcare professionals are exempt from the obligation to carry out a DPIA on the basis of recital 91 of the GDPR.
8. Partnerships
The sharing of personal data in or by partnerships in which municipalities or other government bodies exchange special categories of personal data or personal data of a sensitive nature (such as data on health, addiction, poverty, problematic debts, unemployment, social problems, criminal data, involvement of youth care or social work) with other public or private parties. For example, in district teams, security houses or information hubs.
9. Camera surveillance
Systematic and large-scale monitoring of publicly accessible areas using cameras, webcams or drones.
10. Flexible camera surveillance
Large-scale and/or systematic use of flexible camera surveillance. For example, cameras on clothing or helmets of fire or ambulance personnel, dashcams used by emergency services.
11. Employee monitoring
Large-scale and/or systematic processing of personal data to monitor activities of employees. For example, monitoring of e-mail and internet use, GPS systems in (lorries) of employees or camera surveillance for the purpose of theft and fraud prevention.
12. Location data
Large-scale and/or systematic processing of location data of or traceable to natural persons. For example, by (scan) cars, navigation systems, telephones, or processing of location data of travellers in public transport.
13. Communication data
Large-scale and/or systematic processing of communication data including metadata traceable to natural persons, unless and insofar as this is necessary to protect the integrity and security of the network and the service of the provider concerned, or the peripheral equipment of the end user.
14. Internet of things
Large-scale and/or systematic processing by controllers of personal data that are generated by devices that are connected to the internet and that can send or exchange data via the internet or otherwise. For example, ‘internet of things’ applications, such as smart televisions, smart household appliances, connected toys, smart cities, smart energy meters, medical devices, etc.
15. Profiling
Systematic and extensive assessment of personal aspects of natural persons based on automated processing (profiling). For example, assessment of professional performance, performance of students, economic situation, health, personal preferences or interests, reliability or behaviour.
16. Observation and influencing of behaviour
Large-scale processing of personal data whereby the behaviour of natural persons is systematically observed, collected, recorded or influenced via automated processing, including data that is collected for the purpose of online behavioural advertising.
