The EDPB's 9 Worked Examples on DPIAs

We’ve done a blog on the DPIA test in EU GDPR and, in particular, the EDPB Guidelines’ famous 9 Criteria to consider under EU GDPR when deciding whether a DPIA is required.

But the Guidelines didn’t stop there – they helpfully gave 9 Worked Examples of when you need to do a DPIA – so we’ve set them out here and, again, we’ve a great infographic for you!

Again, the EDPB Guidelines are very relevant to UK GDPR – they’re even expressly incorporated into the UK ICO’s guidance on when to do a DPIA. (As you’ll see in our blog on UK GDPR and the UK ICO’s own 10 DPIA Criteria.)

Let’s dive into the EDPB’s 9 Worked Examples of when you need to do a DPIA!

The EDPB’s 9 Worked Examples on DPIAs

The 9 Worked Examples apply the 9 Criteria. We’ve set those examples out below plus our lovely infographic.

As we saw in our blog on the criteria, the EDPB also give 3 tips on how to apply the 9 Criteria:

• ‘In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out.’
• ‘In general, the [EDPB] considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and
  therefore to require a DPIA, regardless of the measures which the controller envisages to adopt.’
• ‘However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA.’

The EDPB’s 9 DPIA Worked Examples Keepabl Infographic

Worked Example #1: Hospital processing its patients’ genetic and health data

DPIA Needed? Yes

Criteria Engaged:

• #4 Sensitive or highly personal data
• #5 Large scale
• #7 Vulnerable data subjects

Worked Example #2: Individual physician, other health care professional or lawyer, processing personal data from patients or clients

DPIA Needed? No

Criteria Engaged:

• #4 Sensitive or highly personal data
• #7 Vulnerable data subjects

Worked Example #3: Camera system monitoring driving behaviour, analysing videos to single out cars

DPIA Needed? Yes

Criteria Engaged:

• #3 Systematic monitoring
• #8 Innovation & new technology

Worked Example #4: Company systematically monitoring employees’ activities, work stations, internet activity etc

DPIA Needed? Yes

Criteria Engaged:

• #3 Systematic monitoring
• #7 Vulnerable data subjects

Worked Example #5: Gathering public social media data for generating profiles

DPIA Needed? Yes

Criteria Engaged:

• #1 Evaluation or scoring
• #4 Sensitive or highly personal data
• #5 Large scale
• #6 Matching or combining datasets

Worked Example #6: Institution creating a national level credit rating or fraud database

DPIA Needed? Yes

Criteria Engaged:

• #1 Evaluation or scoring
• #2 ADM + legal or similar effect
• #4 Sensitive or highly personal data
• #9 Prevent rights or use of service

Worked Example #7: Archiving pseudonymised sensitive data on vulnerable data subjects of research projects or clinical trials

DPIA Needed? Yes

Criteria Engaged:

• #4 Sensitive or highly personal data
• #7 Vulnerable data subjects
• #9 Prevent rights or use of service

Worked Example #8: Online magazine using mailing list to send generic daily digest to subscribers

DPIA Needed? No

Criteria Engaged:

• #5 Large scale

Worked Example #9: E-Commerce site displaying ads for vintage car parts involving limited profiling based on items viewed or purchased on its site

DPIA Needed? No

Criteria Engaged:

• #1 Evaluation or scoring

We trust this summary, and the infographic, are helpful to you in getting the job done on Privacy Governance at your organisation. Do read the full Guidelines. And do find out how easy we make managing Assessments in Keepabl.

Make your Assessments work in Keepabl

Arrange your demo to see how easy we can make managing Assessments for your organisation and get your two-week, no strings attached, FREE TRIAL of Keepabl!

And don’t just take our word for it… See how much our customers love us in our customer case studies!