In times of increasingly tangible globalization and digitalization, businesses are moving towards wider action in order to attract as many customers as possible. The presence of a significant number of customers or consumers leads to the processing and storage of huge amounts of personal data by economic operators, which in turn raises questions about the risk assessment of this type of operation and the involvement of officials in these structures, to be responsible for the lawful processing and protection of personal data.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the cancellation of Directive 95/46 / EC (General Data Protection Regulation), better known as the GDPR, is the main instrument in force in the EU for the protection of personal data. The Regulation establishes a number of obligations related to the processing and storage of personal data of individuals. In a previous article, we have informed you about appropriate preventive measures against breaches of data security in cyberspace and the obligations of the personal data controller in their establishment. In this publication, we will address the topics of data protection impact assessment and the appointment of a data protection officer.
- Risks to the protection of personal data and ways to overcome them
Personal data processing operations presuppose risks to the rights and freedoms of individuals. Personal data may be lost, provided to unauthorized persons or processed illegally. The risk depends mainly on the nature and scope of the processing of personal data. Large-scale operations involving the processing of special categories of personal data (genetic and biometric data, for example) represent a much higher degree of risk for the data subject than in cases, when small companies process personal data such as addresses and telephone numbers of their customers.
As new technologies advance, the processing of personal data becomes an increasingly complex and complex process. It is for this reason that personal data controllers and processors must identify and assess the possible risks in advance, examining the possible consequences that any data processing could have. In this way, organizations can identify, address and mitigate the risks of personal data processing, significantly reducing the possibility of a negative impact on individuals as a result of the processing. To this end, the GDPR introduces the obligation to carry out a data protection impact assessment.
2. In which cases an impact assessment on the protection of personal data is mandatory
Article 35 of Regulation (EU) 2016/679 on the protection of personal data provides that an assessment of the impact on data protection must be carried out, where processing is likely to pose a risk to the rights and freedoms of the individual whose data are being processed. The GDPR does not define exactly how such a risk should be assessed, but the Recital 75 clarifies exactly what these risks may arise from. Examples include analyzing and forecasting aspects related to workplace performance, economic situation, health, personal preferences and interests, and much more. Personal data processing operations that are considered high-risk and that require a data protection impact assessment according to the GDPR are the following: a systematic and detailed assessment of personal aspects of individuals, based on automatic processing, including profiling, and serving as a basis for solutions, which have legal consequences for the natural person (decision to grant or refuse to grant a loan, a decision to appoint or terminate an employment relationship, etc.) or similarly seriously affect the natural person; large-scale processing of special categories of data or personal data on convictions and infringements; systematic large-scale surveillance of a publicly accessible area (video cameras in front of the home or in the office).
3. Content and consequences of the impact assessment on personal data protection
The specific types of operations for which an assessment of the impact on data protection is required are disclosed in accordance with Art. 35, para. 4 of the Regulation on the website of the Commission for Personal Data Protection (CPDP). Such, for example, are the processing of location data for profiling purposes, which has legal consequences for the data subject or the large-scale processing of biometric data in order to identify an individual. In cases where the assessment is mandatory, personal data controllers must assess the necessity and proportionality of the processing of personal data, as well as the possible risks to the rights of individuals. The assessment must also contain the planned security measures that are designed to address the identified risks. The guidelines developed by the Working Party on Personal Data Protection under Article 29 (now the European Data Protection Board (EHR)) on protection impact assessment are to the assistance of all entities of data (OPC) and determination of whether the processing „ is likely to pose a high risk “ for the purposes of Regulation 2016/679. If the data protection impact assessment finds that the processing of personal data will pose a high risk to the rights of individuals and no measures have been put in place, in order to alleviate the effect of this risk, then the personal data controller must consult the CPDP before starting to process them.
4. Data Protection Officer – functions and features
Another mechanism for the protection of individuals’ personal data in their processing is the designation of the Data Protection Officer provided for in Article 37 of the GDPR. The official may be an employee of the controller of personal data or, externally, of the organization of the controller, a natural person in charge of the following functions:
- advisory functions in the field of personal data protection;
- supervision of compliance with the Regulation in the organization of the administrator;
- awareness raising and staff trainin;
The GDPR provides for a data protection officer to be determined by the following categories of controllers, namely:
- Public authorities or bodies, except in the case of courts in the performance of their judicial functions;
- Administrators whose activities, due to their nature, scope and objectives, require regular and systematic large-scale monitoring of data subjects (hospitals and insurers);
- Administrators whose main activities consist in large-scale processing of special categories of data and personal data related to convictions and violations (social networks and other platforms on the Internet);
- All other administrators who do not fall within the above hypotheses have the opportunity to appoint an official to ensure the lawful processing of personal data;
The functions of the official include informing and advising the controller or processor and the staff who process their obligations under the data protection regulations, monitoring compliance with the rules on personal data protection, obligation to cooperate with the CLA and others (with the full list you can read in Article 39 of the Regulation).
An interesting feature of the official is that he should mediate between the CLD, being a point of contact with the supervisory authority, the data subjects and the organization, who designated him as an official. The official is independent of the administrator and cannot receive instructions from the organization that designated him, even from the highest management level (managers, CEOs, etc.). In addition, the Data Protection Officer may not be removed from office or sanctioned by the controller or processor for the performance of his / her tasks, related to his functions as an official. In this way, the Regulation guarantees its independence.
In assessing all aspects related to the appointment of the official, administrators should familiarize themselves with the Guidelines for Data Protection Officers („ DPO “), prepared by the Working Group for Protection of Individuals with regard to the Processing of Personal Data (under Article 29, now EHRD).
5. Conclusion on the personal data protection impact assessment mechanism and the data protection officer
The two instruments that represent the focus of this publication are extremely useful for all economic operators, as they minimize the risk of violating the rights and freedoms of individuals, whose personal data is processed. Their implementation inevitably leads to higher costs, which some organizations are reluctant to budget and realize, but on the other hand, they significantly reduce the risk of the organization concerned being subject to harsh sanctions for non-compliance with personal data protection rules. A clear example in this regard at the local level is the fine of BGN 5.1 million, which the CLLD imposed on the National Revenue Agency due to the expiration of a huge amount of personal data in 2019, and internationally – the fine of around EUR 28 million imposed on the telecommunications operator TIM by the Italian supervisory authority responsible for the protection of personal data.
