The National Supervisory Authority for Personal Data Processing issued the Decision no. 174/2018 (“DPIA Decision“) regarding the list of processing operations that are subject to the requirement of data protection impact assessment (“DPIA“):
- processing of personal data in order to carry out a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- large-scale processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offenses;
- processing of personal data for the purpose of systematic and large-scale monitoring of publicly accessible areas, such as video surveillance in shopping centers, stadiums, markets, parks or other such spaces;
- large-scale processing of personal data of vulnerable persons, especially minors and employees, by automatic means of monitoring and/or systematic recording of people’s behavior, including for advertising, marketing and publicity purposes;
- large-scale processing of personal data by using innovative or by applying new technological solutions, particularly where such operations limit the ability of data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces;
- large-scale processing of personal data generated by sensing devices transmitting data through the Internet or by other means (the “Internet of Things” applications, such as smart TV, connected vehicles, smart metering, intelligent toys, intelligent cities or other such applications);
- large-scale and/or systematic processing of traffic and/or location data of individuals (such as Wi-Fi monitoring, processing the geo-location of passengers in public transportation or other similar situations), when processing is not necessary in order to provide a service requested by the data subject.
The list provided by the DPIA Decision is not exhaustive, but only includes examples of activities considered by the Romanian DPA as being subject to a DPIA. As such, other processing activities may require DPIA according to the General Data Protection EU Regulation no. 2016/679 and the Guidelines on Data Protection Impact Assessment (DPIA) and for determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (issued by the Article 29 Working Party) .
