List of processing operations where a DPIA is always required

The Norwegian Data Protection Authority has recently published a list of processing operations that shall always require a data protection impact assessment (DPIA) pursuant to article 35(4) of the General Data Protection Regulation (GDPR).

Where an organization decides to use an IT solution, such as a new technology, or otherwise carries out processing operations that are likely to result in a high risk to the rights and freedoms of individuals, a DPIA is mandatory prior to any such processing. The DPIA should “describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.” (Guidelines on DPIA – WP 248 rev.01)

According to the GDPR, supervisory authorities in the European Economic Area shall establish and publish a list of processing operations that shall always require a DPIA (article 35(4)). The Data Protection Authority's list is not exhaustive and data controllers must therefore still assess whether processing activities which do not fall within the list require a DPIA.

Amongst the processing activities included in the Norwegian Data Protection Authority's list are the following:

  • data collected via third parties in conjunction with at least one other criterion (e.g. systematic monitoring, large scale processing, matching or combining data sets) identified in the Working Party 29's Guidelines on DPIAs (WP 248 rev.01, pages 9-11);
  • processing of personal data involving measures for systematic monitoring of employee activities;
  • processing of personal data without consent for scientific or historical purposes in conjunction with at least one other criterion;
  • processing of location data in conjunction with at least one other criterion;
  • processing of sensitive or highly personal data on a large scale for training of algorithms;
  • processing of personal data to systematically monitor proficiency, skills, scores, mental health and development;
  • collection of personal data on a large scale through the use of "internet of things" solutions or welfare technology solutions.

The list was approved by the EDPB. It is available in both Norwegian and English.