The List of Processing Operations Requiring DPIA Approved by the Data State Inspectorate

​Pursuant to its official order approved on December 18^th, 2018, Data State Inspectorate (DSI) has finally released a long-awaited communication on the list of the personal data processing activities, which require Data Protection Impact Assessment (DPIA) to comply with the General Data Protection Regulation (GDPR) requirements. Unfortunately, DSI communication merely follows the exact wording of Article 29 Working Party on the DPIA criteria previously articulated in the Guidelines on Data Protection Impact Assessment (DPIA) dated October 4^th, 2017, without providing any further elaboration on the application of the aforementioned criteria. Moreover, some of the listed activities merely resemble DPIA criteria without describing any specific personal data processing operations, which are likely to result in a high risk to the rights and freedoms of the natural persons.

In accordance with the communication, DSI prescribes controllers having their sole or primary place of establishment in the Republic of Latvia to conduct DPIA at least regarding following personal data processing operations:

• processing of the personal data on a large scale based on automated processing, including profiling;
• processing of the personal data on the criminal convictions and offences or related security measures’
• monitoring data subjects on a large scale or at the place of work or other locations, such as educational facilities, health care facilities, detention facilities;
• processing of the genetic or biometric data for the identification of the natural person, if at least one of the nine DPIA criterion referred in the Guidelines is present;
• processing of the personal data using innovative technological solutions and methods, if at least one of the nine DPIA criterion referred in the Guidelines is present;
• tracking natural persons on a large scale via lifestyle applications;
• processing geographical location of the data subject, if at least one of the nine DPIA criterion referred in the Guidelines is present;
• processing of the personal data via information society services targeting underage individuals;
• processing of the personal data from the deferent datasets to facilitate synchronisation and application;
• processing of the personal data for scientific or historical purposes without the consent of the subject, if at least one of the nine DPIA criterion referred in the Guidelines is present; as well as
• processing of the personal data, when it is impossible to ensure the right of the data subject to be informed on the recipients of the notification regarding rectification and/or erasure of the personal data by the controller.

Although undoubtedly reaching beyond DPIA eligible processing operations illustrated by GDPR Article 35(3), the aforementioned list of the personal data processing activities sheds only some light on the application of DPIA.

DSI further emphases a non-exhaustive nature of the articulated list leaving it up to the controllers to examine any specific personal data processing operation on its merits. DSI repeatedly encourages controllers to conduct DPIA in case of any doubts regarding GDPR compliance of the upcoming processing operations. Whether such indecisive wording of the DSI communication will undermine selective application of DPIA in favour of its excessive use provoking increase in the operational costs of the controllers, remains to be seen.