Background
Opinion 12/2018 adopted on 25 September 2018 by the European Data Protection Board or “EDPB”, has recently been made public. The EDPB is the body that is mainly in charge of ensuring a uniform and consistent application of EU Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data (”GDPR”) in all member States. The EDPB succeeded the previous “Working Party 29” or “WP29” and has broader powers and new duties.
As part of its work of aligning the various internal practices, in the last few months the Supervisory Authorities of the member States submitted to the EDPB their list of “types of data processing” which require a prior “data protection impact assessment” (DPIA) as a condition for legality of the processing.
The Italian case
The list submitted by the Italian Data Protection Authority defines six types of processing that require that a DPIA be conducted beforehand. Specifically, these are:(i) processing of biometric data; (ii) processing of genetic data; (iii) processing carried out using innovative technologies; (iv) monitoring of employees; (v) “further processing of personal data” and (vi) processing that refers to a “specific legal basis”.
The EDPB answered the Italian Data Protection Authority with its own observations, some of which were of a general nature while others were of a detailed “prescriptive” nature.
Specifically regarding the processing of biometric and genetic data or processing carried out using new technologies, the EDPB considers that this type of processing is not in and of itself able to create a clear risk to the rights and freedoms of the data subjects. In its opinion, for a DPIA to be required, the presence of at least one more of the nine cases listed in the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” adopted by Working Party 29 and commonly referred to as the WP248 guidelines (e.g.: processing that enables judgement of an individual based on profiling; systematic monitoring; matching of various data sets) is necessary.
On the other hand, the EDPB agrees with the Italian Data Protection Authority when the latter claims that systematic monitoring of individuals that are in and of themselves vulnerable, such as employees, constitutes processing that requires a DPIA.
Prospects
In conclusion, it will be interesting to see how the Italian Data Protection Authority will proceed: if it decides not to follow the “prescriptions” provided by the EDPB, Italy could be the first to be involved in a new dispute resolution mechanism by the Board, with the so-called “consistency mechanism” pursuant to Articles 63, 64 and 65 of the GDPR.