According to Art. 35 par. 1 of Regulation 2016/679 (GDPR), data controllers are obliged to conduct an impact assessment whenever a particular type of processing is likely to cause a high risk to the rights and freedoms of individuals. In order to facilitate its implementation, the Commission for Personal Data Protection (CPDP), according to Art. 35 par. 4 of the Regulation, at a regular meeting in early February 2019, has adopted a list of the types of data processing operations for which an impact assessment is required. The list adopted is not exhaustive and can be updated subsequently.
In all cases where a particular type of processing is likely to pose a high risk to the rights and freedoms of the data subjects, the controller is required to carry out an impact assessment as well as in the cases of Art. 35 par. 3, namely: – a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; – processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or a systematic monitoring of a publicly accessible area on a large scale.
In the cases listed above, where the controller is required to carry out an impact assessment, with the list adopted by the CPDP the following operations are included, namely:
- Large scale processing of biometric data for the unique identification of the individual which is not sporadic.
- Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects him/her.
- Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects him/her.
- Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large scale processing.
- Personal data processing by controller with main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria.
- Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts.
- Processing of personal data of children in relation to the offer of information society services directly to a child.
- Migration of data from existing to new technologies when this is linked to large scale data processing.