France’s data protection authority, CNIL, fined a company €3.5 million for, among other things, failing to conduct a data protection impact assessment (DPIA).
What happened?
The CNIL found that, despite the company in question had obtained consent for participation in a loyalty program, the consent language did not mention that the data would be shared with social media companies for profile matching and personalised advertising purposes. This meant that the consent was not informed and specific, and the processing was unlawful.
Further violations led to the amount of the fine, including the inadequate implementation of information obligations, technical and organizational measures and the lack of a DPIA.
When is a DPIA mandatory?
The GDPR requires a DPIA if data processing is likely to result in a high risk to the rights and freedoms of natural persons (Art. 35(1) GDPR). But when is this the case?
- Guidelines of the Article 29 Data Protection Working Party
In its guidelines (WP 248), the working party has defined nine criteria which, when met, often indicate a high risk and therefore require a DPIA. The following are particularly relevant in the context of the CNIL fine:
5. Data processing on a large scale
6. Matching or combining datasets
Important: The more criteria that are met, the more likely it is that a DPIA will need to be carried out. However, even if only one criterion is met, there may already be a high risk.
- DPIA ‘must’ list of data protection authorities
In addition to the general criteria, many data protection authorities have published so-called ‘must’ lists, which list specific processing activities that always require a DPIA. In Germany, the Data Protection Conference (DSK) has created such a list.
What should companies do now?
Check whether your data processing requires a DPIA using the guidelines of the Article 29 Data Protection Working Party and the DPIA ‘must’ list of data protection authorities. If necessary, carry out the DPIA and document your assessment.
Are you unsure whether your data processing requires a DPIA? We would be happy to assist you with the risk analysis and preparation of a DPIA. Please contact us!