Supervisory authorities publish data protection impact assessment catalogue submitted to EDSA [European Data Protection Board EDPB].
After Hesse also publishedits own data protection impact assessment catalogue in June, question remains whether the lists published by the supervisory authorities are mandatory for responsible entities to use.Art. 35 Para. 4 P. 2 GDPR demands that each of these lists (shall) be presented to the European Data Protection Board (EDPB), which probably did not happen to date.
The Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia has now published a list of processesin accordance with Art. 35 Para. 4 GDPR on its homepage in German and English for the private sector, also submitting this to the EDPB.Since the list bears the Data Protection Conference (DSK) logo, it may be assumed – even though the website did not explicitly point this out – that this is a list of criteria coordinated by all German supervisory authorities; especially considering that the NRW Commissioner currently chairs the DSK.
Again the supervisory authorities in this list failed to compile a list of processes as required under the GDPR, but rather included criteria by which responsible entities should themselves determine whether specific processing will require a data protection impact assessment.The responsibility, actually according to the GDPR to be borne by the supervisory authorities, is thus fully devolved to the responsible entity.
The LDI NRW [Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia]also points out that the list is binding, yet not conclusive.Whether this note refers only to the list of public processing or also to the list submitted to EDSA remains unclear.A responsible entity from the private sector must ultimately also take into account not only this list but also that it may yet be confronted with a list published by the supervisory authorities responsible specifically for him.
For an overviewof which requirement by which supervisory authority is published in which list, please refer to http://ds-gvo.gesundheitsdatenschutz.org/html/dsfa_liste_aufsichtsbehoerden.php.
Author: Bernd Schütze