07/02/2024 - Earlier this year, the Dutch Data Protection Authority (AP) issued its penalty decision concerning International Card Services B.V. (ICS). Subsequent to this decision, the AP opted to impose a fine of 150,000 euros on ICS for failing to carry out a Data Protection Impact Assessment (DPIA). The AP contends that ICS should have carried out a DPIA for the digital identification of its 1.5 million customers in the Netherlands through an application. In this blog post, we examine one of the most notable AVG requirements - the DPIA. We explore when organizations are required to perform it and what the specific requirements entail. Additionally, we delve into the penalty decision for ICS and examine the perspectives of regulators and the GDPR regarding the DPIA.
Reason for the penalty decision
ICS is a financial products provider and is best known for providing credit cards to its customers. Following numerous consumer complaints about its online identification process, the AP launched an investigation. According to the findings, the AP declared that ICS had neglected to carry out a DPIA for this process and therefore violated Article 35 of the AVG.
When do you conduct a DPIA?
According to Article 35 of the GDPR, data controllers must carry out a DPIA before commending a processing activity and when a processing activity is likely to present a high risk to the rights and freedoms of data subjects. What constitutes "likely" high risk depends on the nature, scope, context and purposes of the processing, leaving room for interpretation. While paragraph 3 of Article 35 AVG provides some examples of high risk processing, it is not an exhaustive list. Recitals 89 and 90 of the GDPR also make references the necessity of a DPIA when introducing new technologies for data processing.
To provide more concrete examples and guidance on high-risk processing operations, the European Data Protection Board (EDPB) has published Guidelines and the AP has published a handbook on processing operations requiring a DPIA. Examples from the EDPB Guidelines include: evaluation or scoring, systematic monitoring, data processed on a large scale and data relating to vulnerable data subjects. The AP's handbook includes processing around covert investigations, blacklists, partnerships, health data and camera surveillance. The EDPB's Guidelines describes that data controllers must conduct a DPIA if a processing meets two criteria, but also emphasizes that meeting only one criterion does not automatically exempt organizations from conducting a DPIA. In practice, processors will have to assess on a case-by-case basis whether a DPIA is actually necessary if only one criterium is met. In contrast, the AP’s handbook does not specify the number of criteria necessary for a DPIA, potentially meaning that one criterion of the AP’s handbook may be sufficient to be obligated to carry out a DPIA.
Despite the additional guidance provided by the EDPB and AP, many professionals in practice encounter specific cases that aren’t directly comparable to the aforementioned examples. Such was the case with ICS. ICS asserted that a DPIA was necessary, partly because the processing did not fulfil two criteria from the AP's handbook. ICS argued that the processing activity online fulfilled one criterion, namely large-scale processing. Unlike the AP, ICS believed that the personal data was not inherently sensitive. After investigation, the AP determined that two criteria from the Guidelines (and originally the AP even considered that there were three) did apply to the processing, namely 1. Sensitive data or data of a highly personal nature; and 2. data processed on a large scale. Consequently, the AP concluded that ICS should have conducted a DPIA prior to the processing.
The form-free structure of a DPIA
In principle, organizations have the flexibility to determine the specific structure and format of a DPIA. This means that various approaches can be used to carry out a DPIA. However, both the recitals and Article 35 of the GDPR outline specific elements that must include into the DPIA. In addition, the EDPB's Guidelines provides a list of criteria to assess whether a DPIA complies with the GDPR. The main criteria are:
- a systematic description of the processing is provided;
- the necessity and proportionality of the processing are assessed;
- the risks to the rights and freedoms of data subjects are managed;
- stakeholders are involved.
Based on the "form-free" DPIA structure, ICS argued that it did not need to carry out a (separate) DPIA. In fact, ICS had already performed a Change Risk Assessment (CRA process) on the application responsible for digital customer identity verification. This CRA process identified, mitigated and monitored various risks. ICS argued that this process could be considered equivalent to carrying out a DPIA.
Nonetheless, the AP, considering the main criteria, concluded that ICS' CRA process fell short on 3 of the 4, making it non-equivalent to a DPIA. Specifically, the AP noted that the CRA process did not include a systematic description of the processing, did not include an assessment of the necessity and proportionality of the processing and, finally, did not involve stakeholders. In addition, the AP found that the CRA process primarily focused on combating (identity) fraud rather than specifically addressing the protection of personal data.
In summary, the penalty decision highlights that organizations cannot simply bypass the requirement for a DPIA by performing a risk analysis. The analysis must meet specific requirements to qualify as a DPIA. Additionally, the penalty decision emphasizes the importance of a comprehensive analysis and assessment when determining the necessity for a DPIA. Therefore, if you’re unsure about the necessity for a DPIA, we strongly recommend conducting one.