Data processing activities subject to data protection impact assessment
The Hungarian data protection authority (NAIH) has published on its website a list of data processing activities where data controllers must prepare a data protection impact assessment (DPIA). The list is not exhaustive but may still be a helpful tool for data controllers when having to analyze if the preparation of a DPIA is necessary or not.
The list contains the following data processing activities:
1) Where the processing of biometric data refers to systematic monitoring.
2) Where the processing of biometric data concerns vulnerable data subjects, in particular, children, employees, and people with mental illness.
3) Where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature.
4) Where the purpose of processing of genetic data is to evaluate or rate a natural person.
5) Scoring. The purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject.
6) Credit rating. The purpose of data processing is to assess the credit-worthiness of the data subject by way of evaluating personal data in large scale or systematically.
7) Solvency rating. The purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data in large scale or systematically.
8) Further use of data collected from third persons. The purpose of data processing is the use of personal data collected from third persons in the decision to refuse or cancel a service to the data subject.
9) The use of the personal data of pupils and students for assessment. The purpose of data processing – regardless of whether tuition is at primary, secondary or advanced level – is to record and examine the preparedness, achievement, aptitude, and mental state of pupils and students, and the data processing is not statutory.
10) Profiling. The purpose of data processing is profiling by way of evaluating personal data in large scale and systematically, especially when it is based on the characteristics of the workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject.
11) Anti-fraud activity. The purpose of data processing is to use credit reference, anti-money-laundering or anti-terrorism financing, and anti-fraud databases for screening clients.
12) Smart meters. The purpose of data processing is the application of “smart meters” set up by public utilities providers (the monitoring of consumption customs).
13) Automated decision with legal effects or similarly significant effects. The purpose of data processing is to make decisions with legal effects or other significant effects on natural persons, which decisions might result in the exclusion of or discrimination against individuals in certain cases.
14) Systematic surveillance. Systematic and large scale surveillance of data subjects in public areas or spaces by camera systems, drones or any other new technology (wifi tracking, Bluetooth tracking or body cameras).
15) Location data. Where the processing of location data refers to systematic monitoring or profiling.
16) Monitoring employee work. Where the purpose of data processing is the systematic and extensive processing and assessment of employee’s personal data in the course of the monitoring of employee work, including placing GPS trackers on vehicles, and camera surveillance against theft or fraud.
17) Processing of considerable amounts of special categories of personal data. Under Recital (91) of the GDPR, processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.
18) The processing of considerable amounts of personal data for law enforcement purposes.
19) Processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and persons with mental illness.
20) The processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly.
21) The use of new technologies for data processing. This includes the processing of large amounts of data obtained via sensor-equipped devices (e.g. smart televisions, smart household appliances, smart toys, etc.) and transferred through the Internet or other channels, and such devices providing data on the characteristics of the financial status, health condition, personal
interests, trustworthiness or conduct, residence or movement of the natural person, and such data form the basis of profiling.
22) The processing of health data. In respect of large amounts of special data processed by hospitals, healthcare providers, and private medical services or non-medical practitioners with a large clientele. This also includes the processing of health data collected from members of major sports establishments or workout rooms.
23) When the data controller is planning to set up an application, tool, or platform for use by an entire sector to process also special categories of personal data.
24) The purpose of data processing is to combine data from various sources for matching and comparison purposes.
It is the data controller's obligation to prepare an analysis in a documented form and prior to the data processing taking place if a given data processing activity is subject to a DPIA. Furthermore, the data controller is required to continuously monitor if, due to the change of circumstances, the preparation of a DPIA becomes necessary. If a DPIA has to be prepared, the data controller has to do so prior to the commencement of the data processing activity and as the case may be (if the residual risk identified in the DPIA is still not at an acceptable level), it has to consult the data protection authority.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.