IN WHAT CASES DO I NEED A DATA PROTECTION IMPACT ASSESSMENT (DPIA) IN SPAIN?

22 Aug IN WHAT CASES DO I NEED A DATA PROTECTION IMPACT ASSESSMENT (DPIA) IN SPAIN?

IN WHAT CASES DO I NEED A DATA PROTECTION IMPACT ASSESSMENT (DPIA)?

There are two phases to come to a conclusion and answer the question:

Phase I: First, you must consult the lists of data treatments in which the law establishes the DPIA as obligatory. These are the following:

1) Systematic and exhaustive evaluation of personal aspects of natural persons based on an automated treatment, such as the elaboration of profiles, and on which the basis of decisions are made so that they produce legal effects for individuals or affect them significantly in a similar way;

2) Large-scale treatment of special categories of data (personal data revealing ethnic or racial origin, political views, religious or philosophical convictions, or union affiliation, and processing of genetic data, biometrics data aimed at unambiguously identifying a natural person, health data or data relating to sexual life or sexual orientation of a natural person), or personal data relating to convictions and criminal offences.

3) Large-scale systematic observation of a public access area.

If the treatment is not included in the commented postulations and in none of the lists, it does not imply that it is not necessary to carry out the DPIA, and in any case, it will be necessary to move to the second phase of analysis.

Phase II: Analysis of the nature, scope, context and purposes of treatment

Nature of Treatment: the most basic characteristics of the treatment should be assessed and see if they can involve a high risk. For example (a certain number of affirmative answers implies an obligatory DPIA):

Are special categories of data treated?

Are large-scale data treated?

Is there a thorough follow-up of people?

Are different sets of data combined? (Different sources of information)

Do the data refer to people in a situation of vulnerability?

Scope of treatment: the effects or consequences of treatment should be assessed, identifying the extent to which it can reach and whether it can pose a high risk. For example:

Is there a decision-making process with legal effects?

Is a credit risk assessment performed?

Is the exclusion of social or tax benefits valued?

Treatment context: The set of circumstances under which treatment activities will be carried out should be assessed in order to verify whether they could pose a high risk. For example:

Is there a use of new technology? Is it especially invasive for privacy?

Are there several people responsible for the treatment?

Are there complex chains of treatment managers?

Are international transfers produced?

Are there data transfers?

Treatment purposes: Each of the purposes of treatment should be identified and analyzed if they derive at high risk. For example, if the purpose includes:

Decision Making

Elaboration of profiles

Predictive analysis

Providing health-related services

Supervising, monitoring and observation of people