The Estonian data protection authority issued guidance on the definition of “large scale” processing
In the DPI-s view, data processing could be considered of large scale when it includes:
- special categories of personal data or personal data relating to criminal offences of 5000+ people;
- personal data of high risk of 10 000+ people;
- other personal data of 50 000+ people.
The need to carry out a DPIA.
Under Article 35 of the GDPR, the controller has to carry out a DPIA where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Under the GDPR, a DPIA shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
- a systematic monitoring of a publicly accessible area on a large scale.
According to Article 29 Working Party (WP29), “data processed on a large scale” is one of the nine criteria to be considered when assessing whether a processing operation requires carrying out a DPIA.1
The need to appoint a DPO.
Under Article 37(1)(a) of the GDPR, public authorities or bodies have to appoint a DPO in any case. Private entities have to appoint a DPO when the conditions of Article 37(1)(b) or (c) of the GDPR are met. Under Article 37(1)(b), the controller and the processor shall designate a DPO in any case where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. Under Article 37(1)(c), the controller and the processor shall designate a DPO in any case where the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Problems in practice.
In practice, companies have often difficulties in assessing whether they need to appoint a DPO or not and whether DPIA shall be carried out or not. The difficulties arise mainly because the assessment entails an often complicated analysis of the company’s data processing activities. WP29 has issued guidance and FAQ-s on DPO-s already in December 2016 (as revised in April 2017),2 and on DPIA-s in April 2017 (as revised in October 2017),3 which are definitely of help but do not provide clear-cut answers. Open definitions, such as “large scale” have been especially troublesome to furnish, although they are one of the core concepts of the obligations.
Guidance by the Estonian DPI.
To assist the companies to some extent, the Estonian DPI issued its guidance on how to define “large scale” in the context of deciding on appointing the DPO or carrying out the DPIA. In the Estonian DPI-s view, data processing is of large scale when it includes:
- special categories of personal data or personal data relating to criminal offences of 5000+ people;
- personal data of high risk of 10 000+ people;
- other personal data of 50 000+ people.
It is interesting to note that in its guidelines on DPOs, WP29 has stated that it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned which would be applicable in all situations, although WP29 did not exclude the possibility of a standard practice developing in the future.4 However, according to WP29’s guidelines, in determining whether the processing is carried out on a large scale, one of the factors that could be considered is the number of data subjects concerned, either as a specific number or as a proportion of the relevant population. In Estonia’s case, it should also be kept in mind that Estonia has a population of 1.3 million.
According to the DPI’s explanations in the guidelines, their considerations are based on the following:
5000+ people (special categories of personal data or personal data relating to criminal offences): Recital 91 of the GDPR (in relation to DPIAs) provides that the processing of personal data should not be considered to be on a large scale if the processing concerns personal data of patients by an individual physician or other health care professional. In Estonia, the most common individual physician is the family physician. Under law, the maximum number of persons on a practice list of a family physician can be 2000 persons (2400 when at least one health care professional qualified as a physician provides general medical care to persons entered in the list together with the family physician). The threshold of 5000 people therefore includes 2-3 family physicians. Recital 91 of the GDPR also refers to individual lawyers but there is no trustworthy data about the amount of clients of lawyers. The DPI also considered that the standards for special categories of personal data in the GDPR are stricter than in the previously applicable Personal Data Protection Act, which is why the DPI considered it reasonable that the threshold for special categories of personal data be half of that of other more sensitive data (data of high risk).
10 000+ people (personal data of high risk):
The definition of high risk derives from Recital 75 of the GDPR.5 The DPI brings the following examples of high risk:
- identity theft or fraud (especially in relation to digital trust services and comparable identity management services);
- financial loss (especially through bank and credit card services);
- breaching the message secrecy (especially in case of a communications services)
- tracking the location of a person in real time (especially in case of communications services);
- disclosing the economic situation of a person (especially tax data, bank data and credit rating data; however this does not include the use of public data)
- discrimination with legal consequences or of equivalent effect (including in job placement services and assessment services which may influence salary and career opportunities);
- processing personal data of children (in services directed at children);
- disclosing information protected by secrecy deriving from the law (information with access restriction, information protected by professional secrecy).
In setting the threshold of 10 000 persons, the DPI apparently takes off of other important services which also use the 10 000 persons criteria under Estonian law, e.g. important cable service, electricity distribution service provided as a vital service, gas distribution network service provided as a vital service.
The DPI added a disclaimer to its guidelines on DPIAs, saying that, at the time, no other common guidelines on the matter have been issued. Should the list of processing activities which constitute high risk be considered a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR, it should be communicated to the European Data Protection Board (EDPB) for opinion. As such, the guidelines on large scale processing might not be final.
We currently have no information as to how the guidelines have been accepted on the EDPB level.
References:
- See WP29 guidelines on DPIAs, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 (31.07.2018), p 9-10.
- See http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 (31.07.2018).
- See http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 (31.07.2018).
- See section 2.1.3 of the guidelines.
- The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
Article provided by: Mari-Liis Orav, Attorney-at-law at PwC Legal Estonia
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org