When personal data is processed with overall impact assessment
The recent provision of the Guarantors for Privacy makes a list of the cases
The recent provision of the Guarantors for Privacy makes a list of the casesIn consideration of the GDPR (the legislative compliance decree of August 2018) coming into effect so recently and in the absence of previous case-law, it is difficult to consider when the overall impact assessment on the protection of personal data is mandatory, to which, in accordance to Article 35 of the GDPR, is necessary when a certain processing, which involves the use of modern technology, could “pose an elevated risk for the rights and liberties of the people themselves”. Besides, the clear uncertainty of this locution does not fully aid the interpreter.
Indeed, the third clause of just mentioned Article 35 lists three cases in which the overall impact assessment is expressly required. That is, the profiling of the clients, the processing of judicial data and the large-scale systematic surveillance of the areas accessible to the public. However, the list mentioned is not considered exhaustive and the fourth clause sees that the Guarantor for personal data protection prepares another specific list of the types of processing subject to the requirements of the overall impact assessment.
The specification that the GDPR intends has been recently made known by the Guarantors for Privacy attached to their provision no. 467 of the 11-10-2018 that imposes the “processing carried out regarding the employment relationship by means of technological systems (with regard also to video-recording and geo-location systems) from which the possibility to carry out distance-checks on the work of the employee”.
The overall impact assessment is therefore necessary in the case of judicial review of technologies including GPS, black-box, video-recording tools, and those which continually monitor and control every movement of the employee’s work.
In the case in which, from the overall impact assessment, “an elevated risk emerges in the absence of implemented measures of the titleholder to diminish risk”, prior consultation of the Guarantor of Privacy would then be rendered necessary, provided in Article 36 of GDPR. (LC)
