August 18, 2017

August 17, 2017

Subscribe to Latest Legal News and Analysis

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

EU Article 29 Working Party Issues Draft Guidelines on Data Protection Impact Assessments

On 04 April 2017, the EU Article 29 Working Party (WP29) issued its much-anticipated draft Guidelines on Data Protection Impact Assessments (DPIAs), which will be required under Article 35 of the EU General Data Protection Regulation (GDPR). The draft Guidelines are open for comment from the public until 23 May 2017, after which the final Guidelines will be published. The DPIA Guidelines will be complemented by the WP29 Guidelines on Profiling, a draft of which is expected to be published later this year.

The draft DPIA Guidelines provide additional insights into the types of processing that will require a DPIA and the circumstances under which consultation with data protection authorities must be carried out. The requirement will apply to processing operations that meet the criteria of Article 35 and that are initiated after the GDPR becomes applicable, on 25 May 2018 (or that are modified in significant ways after that date). However, the WP29 recommends that DPIAs be carried out for all processing operations that meet the Article 35 criteria.

The draft DPIA Guidelines also:

  • provide various examples of the types of processing operations that will be subject to DPIAs as well as the criteria that should be considered in assessing whether the processing is likely to present a high risk to the rights and freedoms of data subjects (thus triggering the DPIA obligation);
  • clarify that prior consultation with the Data Protection Authority (DPA) is required when there is a “residual” high risk to the rights and freedoms of data subjects, even after remedial measures are applied to address the risks; and
  • seek to promote the development of a common list of EU processing operations for which DPIAs are necessary, and for which they are not necessary, along with common criteria for specifying when DPAs should be consulted.
© Copyright 2017 Squire Patton Boggs (US) LLP


About this Author

Asel Ibraimova, Squire Patton, Media Industry Lawyer, data controllers attorney

Asel Ibraimova is an associate with expertise in European data protection matters.

Asel has worked in the healthcare industry and media industry, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers, including cloud providers. Asel has drafted data protection...