The CNPD (Portuguese Data Protection National Commission), as the Portuguese supervisory au-thority, has approved Regulation nr. 1/2018 (“Regulation”), pursuant to Articles 35, no. 4 and 57, no. 1, k) of the General Data Protection Regulation (“GDPR”), that provides a list of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”).
Through this Regulation, the CNPD clarifies which situations, in addition to those already foreseen in Article 35, nr. 3 of the GDPR, in which, prior to the processing of personal data, the Controller shall carry out a DPIA.
A DPIA is a process that must be undertaken by the Controller, being mandatory only in some situa-tions. Its purpose is to mitigate the risks associated with the processing of data within the scope of new projects, systems, plans, proposals, strategies or policies.
The list presented in the Regulation is not exhaustive and is based on the public consultation, conducted by the CNPD, as well as the recommendations contained in Opinion nr. 18/2018 of the ECDC (European Data Protection Committee).
In short, according to Regulation no. 1/2018, in addition to the situations already defined in the GDPR, the processing of data must be preceded by a DPIA, when said processing:
- Involves the transmission by electronic devices of personal health data;
- Involves profiling on a large scale;
- Enables the location or behavior tracking of data subjects – such as employees or clients – and that allows the Controller to evaluate or classify said data subjects;
- Involves the processing of biometric data for unambiguous identification of their holders;
- Involves the processing of genetic data of vulnerable people;
- Is included in Article 9, nr. 1 or Article 10 of the GDPR or has a “highly personal nature”:
- With the use of particular technologies or carrying out particular types of processing opera-tion;
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- That results in an interconnection of personal data;
- Based on indirect collection, where it is not possible to ensure the right of information.
Lastly, concepts such as “data of highly personal nature”, “data processed on a large-scale “, “the processing of genetic data” or “particular technologies” should be interpreted in accordance with what is provided for in the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” - WP248 rev.01, approved by the Article 29 Data Protection Working Party.