Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessment
5 Minute Read
Categories: European Union, International
The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) on Data Protection Impact Assessment (“DPIA”) and the prior consultation requirements under Articles 35 and 36 of the EU General Data Protection Regulation (“GDPR”) (the “Recommendation”). The Recommendation aims to provide guidance on the core elements and requirements of a DPIA, the different actors involved and specific provisions.
Key takeaways from the Recommendation are summarized below:
- Why proceed to a DPIA? The Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be understood in light of two central principles of the GDPR, namely the principle of accountability and the risk-based approach.
- When is a DPIA required? The Belgian DPA indicates that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The Belgian DPA refers to the Guidelines of the Article 29 Working Party (“Working Party”) for such assessment and, in particular, to the nine criteria set out in the Guidelines to consider when determining whether the processing of personal data is likely to create a high risk for the rights and freedoms of individuals. According to the Belgian DPA, if two criteria of this list are detected, a DPIA must be conducted.
- When should a DPIA be conducted? The Belgian DPA stresses that the DPIA must be done before any processing of personal data, and is a tool available to help make decisions concerning the processing.
- What are the essential elements of a DPIA? A DPIA must contain the systematic description of the considered processing as well as the purposes of the processing, including at the minimum a clear description of the processing, personal data involved, categories of recipients and retention period of the data, and finally the material (e.g., software, network, papers, etc.) on which the data are saved. The DPIA must also include an evaluation of the necessity and proportionality of the processing activities with regards to the purposes of the processing, taking into account several criteria. Additionally, the DPIA must include a risk assessment of the whole process of the identification, including the analysis and evaluation of those risks. To conduct such an assessment, companies can chose the method as long as it leads to an objective evaluation of the risks. However, the Belgian DPA recommends favoring existing risk management methods. Finally, the DPIA must include the measures anticipated to address those risks, such as the safeguards, security measures and tools implemented to ensure the protection of the data and compliance with the GDPR.
- Prior consultation of the Supervisory Authorities (“SAs”). The Belgian DPA states that the GDPR requires a prior consultation of the SAs only when the residual risk is high. If the risks can be mitigated, then a prior consultation is not mandatory.
The Belgian DPA also makes additional recommendations, including inter alia:
- Similar or joint processing activities. A single DPIA could be used to assess multiple processing operations that are similar in terms of nature, scope, context, purpose and risks.
- Monitoring and review. The controller should, if necessary, conduct a periodic review of the processing activity to assess whether the processing is consistent with the DPIA that was performed. Such a review must at least take place where there is a modification of the risk resulting from the processing operations.
- Preexistent processing. For processing activities prior to May 25, 2018, conducting a DPIA is only required if the risk(s) change after May 25, 2018 (e.g., a new technology is used or personal data are used for another purpose). However, the Belgian DPA recommends, as a best practice, to also conduct DPIAs for existing processing activities if they are likely to result in a high risk to the rights and freedoms of individuals.
Finally, the Recommendation includes annexes:
- Annex 1: The Belgian DPA recommends some minimal characteristics for appropriate risk management.
- Annex 2: The Belgian DPA provides a draft list of processing activities requiring a DPIA. The list includes, inter alia, processing of biometric data for the purpose of identifying individuals in a public area, collecting personal data from third parties for the purpose of making decisions (including to refuse or terminate) regarding a contract to which an individual is party, large-scale processing of personal data from vulnerable individuals (e.g., children), or large-scale processing of personal data where individuals’ behavior is observed, collected, established or influenced in a systematic manner and using automated means, including for advertising purposes.
- Annex 3: The Belgian DPA provides a draft list of processing activities that are exempt from a DPIA, including, inter alia, processing activities by private entities which are necessary to meet their legal obligations, subject to conditions, the processing of personal data for payroll purposes and HR management, and the processing of personal data for client and vendor management purposes, subject to certain conditions.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code