Extended scope of DPIA in Poland

The communication lists 12 types/criteria regarding the processing operations which require data protection impact assessments (DPIA), while it used to be only nine. According to the GDPR, if a certain type of processing, especially using new technologies, may due to its nature, scope, context and objectives very likely pose a high risk to the rights and freedoms of natural persons, the data controller must conduct a data protection impact assessment before he starts the processing.

The DPIA should include at least:

1. a systemic description of the planned processing operations and objectives of processing, including where applicable, legitimate interests pursued by the controller;
2. an assessment if the processing operations are necessary and commensurate with the objectives;
3. an assessment of the risk to the rights and freedoms of data subjects;
4. measures planned to manage the risk, including security means and measures to protect the personal data and prove compliance with this regulation, taking into consideration the rights and the legitimate interests of data subjects and other individuals concerned.

The President of the Personal Data Protection Office in his communication says that as a rule a data protection impact assessment should be carried out if the processing meets at least two of the twelve listed criteria:

1. Evaluation or assessment, including profiling and anticipation (behavioural analysis) for purposes triggering adverse legal, physical or financial effects or other inconveniences for individuals.
2. Automated decision making triggering legal, financial or similar significant consequences.
3. Regular large-scale monitoring of public areas utilising recognition of features or properties in objects within the monitored areas. This group of systems does not include CCTV systems which record images used exclusively to analyse incidents of law violations.
4. Processing special categories of personal data and data on criminal convictions and offences (sensitive data according to WP 29 opinion).
5. Processing biometric data exclusively to identify an individual or to control access.
6. Processing genetic information.
7. Large-scale data processing, where large scale applies to:

   - the number of data subjects;

   - scope of processing;

   - data storage period, and

   - geographic scope of processing.

8. Comparisons, assessment or conclusion drawing based on analysis of data obtained from various sources.
9. Processing of data of people who are assessed and receive services depending on entities or individuals who have supervisory and/or evaluation rights;
10. Innovative use or application of technological or organisational solutions.
11. Where the processing itself prevents data subjects from exercising their rights or using a service or contract.
12. Processing location information.

Entities obliged to conduct a DPIA

The list of obliged entities is not clear. What we know for sure is that they include private businesses as well as government agencies and state-owned enterprises. According to the communication, DPIA may need to be conducted especially by:

• marketing agencies;
• HR firms;
• banks, financial and lending institutions;
• insurance companies;
• companies which offer or operate sectional speed checks and automatic toll collection such as viaTOLL;
• web stores;
• mass transportation providers (e.g. public transport);
• bike, scooter, car and similar rental providers (including e.g. cities that offer city bikes);
• paid parking zone operators but also municipalities where parking zones exist;
• companies that collect data by smart devices (e.g. manufacturers of such devices, app suppliers);
• entities that collect genetic material for examinations (hospitals, laboratories etc.);
• political organisations;
• telecommunications operators;
• utility suppliers;
• mass data processors (especially central and local government administration);
• job offer providers;
• operators of facial, voice and fingerprint recognition systems (e.g. to access workplace).

If your data processing meets more than one of the criteria listed in the communication, you have to do a DPIA. However, this does not mean that if none of the criteria is met, you are released from that obligation. A DPIA must be carried out always when there is a high risk of a data security breach in your company.

Implications of a failure to do a DPIA

Pursuant to Article 83(4) of the GDPR, if you fail to carry out a DPIA where it is required (i.e. there is a high risk of a data security breach), you are liable to a fine of 10 million euro or 2% of your annual global turnover, whichever is more.

Benefits from doing a DPIA

By doing a DPIA you will be sure that the data you process are secure and thus you will limit the risk of a data leak (if you implement the relevant technical measures) and a harsh penalty.

It may also happen that you think a DPIA is not necessary but the PDPO disagrees, in which case you will face a penalty following from an inspection.

Therefore, even if you are not obliged to carry out a DPIA, it is worth considering.

You may do a DPIA on your own or contract someone for this. Thank to their vast experience in data protection Rödl & Partner’s experts will do it properly and will point out areas which need improvements, both from a legal and technical perspective.