News
The Estonian data protection authority issued guidance on the definition of “large scale” processing
The Estonian data protection authority (Data Protection Inspectorate, DPI) issued guidance on the definition of “large scale” processing, relevant as regards the appointment of data protection officers (DPOs) and carrying out data protection impact assessments (DPIAs).
In the DPI-s view, data processing could be considered of large scale when it includes:
- special categories of personal data or personal data relating to criminal offences of 5000+ people;
- personal data of high risk of 10 000+ people;
- other personal data of 50 000+ people.
The need to carry out a DPIA.
Under Article 35 of the GDPR, the controller has to carry out a DPIA where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Under the GDPR, a DPIA shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
- a systematic monitoring of a publicly accessible area on a large scale.
According to Article 29 Working Party (WP29), “data processed on a large scale” is one of the nine criteria to be considered when assessing whether a processing operation requires carrying out a DPIA.1
The need to appoint a DPO.
Under Article 37(1)(a) of the GDPR, public authorities or bodies have to appoint a DPO in any case. Private entities have to appoint a DPO when the conditions of Article 37(1)(b) or (c) of the GDPR are met. Under Article 37(1)(b), the controller and the processor shall designate a DPO in any case where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. Under Article 37(1)(c), the controller and the processor shall designate a DPO in any case where the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Problems in practice.
In practice, companies have often difficulties in assessing whether they need to appoint a DPO or not and whether DPIA shall be carried out or not. The difficulties arise mainly because the assessment entails an often complicated analysis of the company’s data processing activities. WP29 has issued guidance and FAQ-s on DPO-s already in December 2016 (as revised in April 2017),2 and on DPIA-s in April 2017 (as revised in October 2017),3 which are definitely of help but do not provide clear-cut answers. Open definitions, such as “large scale” have been especially troublesome to furnish, although they are one of the core concepts of the obligations.
Guidance by the Estonian DPI.
To assist the companies to some extent, the Estonian DPI issued its guidance on how to define “large scale” in the context of deciding on appointing the DPO or carrying out the DPIA. In the Estonian DPI-s view, data processing is of large scale when it includes:
- special categories of personal data or personal data relating to criminal offences of 5000+ people;
- personal data of high risk of 10 000+ people;
- other personal data of 50 000+ people.
It is interesting to note that in its guidelines on DPOs, WP29 has stated that it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned which would be applicable in all situations, although WP29 did not exclude the possibility of a standard practice developing in the future.4 However, according to WP29’s guidelines, in determining whether the processing is carried out on a large scale, one of the factors that could be considered is the number of data subjects concerned, either as a specific number or as a proportion of the relevant population. In Estonia’s case, it should also be kept in mind that Estonia has a population of 1.3 million.
According to the DPI’s explanations in the guidelines, their considerations are based on the following:
5000+ people (special categories of personal data or personal data relating to criminal offences): Recital 91 of the GDPR (in relation to DPIAs) provides that the processing of personal data should not be considered to be on a large scale if the processing concerns personal data of patients by an individual physician or other health care professional. In Estonia, the most common individual physician is the family physician. Under law, the maximum number of persons on a practice list of a family physician can be 2000 persons (2400 when at least one health care professional qualified as a physician provides general medical care to persons entered in the list together with the family physician). The threshold of 5000 people therefore includes 2-3 family physicians. Recital 91 of the GDPR also refers to individual lawyers but there is no trustworthy data about the amount of clients of lawyers. The DPI also considered that the standards for special categories of personal data in the GDPR are stricter than in the previously applicable Personal Data Protection Act, which is why the DPI considered it reasonable that the threshold for special categories of personal data be half of that of other more sensitive data (data of high risk).
10 000+ people (personal data of high risk):
The definition of high risk derives from Recital 75 of the GDPR.5 The DPI brings the following examples of high risk:
- identity theft or fraud (especially in relation to digital trust services and comparable identity management services);
- financial loss (especially through bank and credit card services);
- breaching the message secrecy (especially in case of a communications services)
- tracking the location of a person in real time (especially in case of communications services);
- disclosing the economic situation of a person (especially tax data, bank data and credit rating data; however this does not include the use of public data)
- discrimination with legal consequences or of equivalent effect (including in job placement services and assessment services which may influence salary and career opportunities);
- processing personal data of children (in services directed at children);
- disclosing information protected by secrecy deriving from the law (information with access restriction, information protected by professional secrecy).
In setting the threshold of 10 000 persons, the DPI apparently takes off of other important services which also use the 10 000 persons criteria under Estonian law, e.g. important cable service, electricity distribution service provided as a vital service, gas distribution network service provided as a vital service.
The DPI added a disclaimer to its guidelines on DPIAs, saying that, at the time, no other common guidelines on the matter have been issued. Should the list of processing activities which constitute high risk be considered a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR, it should be communicated to the European Data Protection Board (EDPB) for opinion. As such, the guidelines on large scale processing might not be final.
We currently have no information as to how the guidelines have been accepted on the EDPB level.
References:
- See WP29 guidelines on DPIAs, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 (31.07.2018), p 9-10.
- See http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 (31.07.2018).
- See http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 (31.07.2018).
- See section 2.1.3 of the guidelines.
- The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
Article provided by: Mari-Liis Orav, Attorney-at-law at PwC Legal Estonia
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010