Lidia Gimeno

Abogada en Protección de Datos y Derecho de las Nuevas Tecnologías

¿Am I obliged to do a PIA?

After the application of the General Data Protection Regulation next 25th may 2018, in some data processings the controller will be obliged to make a PIA (Privacy Impact Assessment).

But, ¿What is a PIA?

As a brief definition, a PIA could be defined as an analysis of the impact of the data processing that the controller will do in the rights and freedoms of the data subjects.

In the new regulation, in the article 35, there are some cases where the PIA is compulsory.

¿In which cases I am compelled to do a PIA? 

The article 35(1) GDPR states that a PIA should be done in those cases when in the processing of the personal data a high risk in the rights and freedoms of the data subjects is created.

As this is clearly an indeterminate concept, the recital 91 of the GDPR indicates that a PIA should be done when large-scale processing operations take place, processing a great number of personal data, and that could affect a large number of data subjects and are likely to result in a high risk (whether if this derives because a technology of large scale processing is used or because the processing operations done make the exercise of the rights of data subjects more difficult).

In this recital it is also established that the processing of personal data will not be considered to be on a large scale if the processing concerns personal data from patients or clients of “an individual physician, other health care professional or lawyer”.

I would like to make a personal reflection about what I have just stated. The recital 91 makes a reference to the data from “an individual (physician, other health care professional or lawyer)“, being formulated all the sentence in singular. For this, a doubt is raised, in the case the processing is done by a law firm (with different lawyers), ¿would they have the obligation to do a PIA? (We should have in mind that depending on the cases treated, the law firm would process data related with criminal infractions, administrative infractions, or especial protected data).

As what it was indicated previously is a wide and vague concept, the article 35(3) GDPR indicates 3 cases in which a data processing complies with the characteristics to be considerated as a high risk for the rights and freedoms of data subjects.

  1. When in the processing a systematic and extensive evaluation of personal aspects relating to natural persons is done based on automated processing and on which decisions are based, producing legal effects or affecting data subjects. This is the case of automated individual decision-making, that, even being forbidden as a general norm in the article 22 GDPR, are permitted in some cases. An example of an automated individual decision-making could be the application for a preapproved line of credit that, analysing your bank data, authorises the credit automatically (whether, in this case, the AID is positive for the client).
  2. When the processing is done on a large scale of special categories of data or criminal convictions and offences.
  3. When in the processing a systematic monitoring of a publicly accessible area on a large scale in done.

In addition, the Control Authorities should create lists in which they will indicate if some data processing will be obliged to do a PIA. Nowadays, the Spanish Authority does not approved this list.

It is very important to comply with this obligation as the article 83(4)(a) GDPR establishes that the omission of doing a PIA when is compulsory will derive in an administrative sanction. Having in mind the limit established in the regulation for the fines, I believe it is very important to know when a controller is obliged to do a PIA.