Revised list of data processing operations requiring a DPIA
On 8 July 2019, the Communication of the President of the Personal Data Protection Office of 17 June 2019 concerning the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment was announced in Monitor Polski.
In principle, processing meeting at least two of the relevant criteria will require a data protection impact assessment. In some cases, however, the controller may consider that processing meeting only one of these criteria will require a data protection impact assessment. The more criteria the processing fulfils, the more likely it is that a high risk of breach of the rights or freedoms of data subjects is likely to arise and consequently, irrespective of the measures envisaged by the controller to be applied, a data protection impact assessment will be required.
The list has been updated to take account of the opinion of the European Data Protection Board and also covers processing activities which involve offering goods or services to data subjects or monitoring their behaviour in several Member States or which may significantly affect the free movement of personal data in the European Union.
The basis for announcing the Communication of the President of the Personal Data Protection Office constitutes Article 54 (1) (1) of the Act on Personal Data Protection in connection with Article 35 (4) and (6) of Regulation (EU) No. 2016/679 of the European Parliament and of the Council. The list constitutes an attachment to the Communication of the President of Personal Data Protection Office available on the website: http://monitorpolski.gov.pl/MP/2019/666