"/ >

The Agency - PAe Spanish data protection publishes the list of treatments in which it is not necessary to make an impact assessment
the accesskey _ mod _ content

La Agencia española de Protección de Datos publica el listado de tratamientos en los que no es necesario realizar una evaluación de impacto

September 12 2019

The AEPD has developed this list to help those responsible to identify the treatments which is not mandatory make an impact assessment in data protection.

The Spanish Agency of data protection (AEPD) has published the list of treatments of personal data which is not compulsory the realization of an impact assessment (Opens in new window) with the aim of facilitating those responsible for the identification of this kind of treatments. The General Regulation of data protection (RGPD) is article 35.1 that organizations seeking data are forced to make an impact assessment regarding data protection (EIPD) before making those treatments when it is likely that, according to its nature, scope, context or purposes, pose a high risk for the rights and freedoms of individuals.

Moreover, paragraph 5 of the same article stipulates that the supervisory authorities may publish the list of the types of treatment that do not require an impact assessment. Similarly, as does the RGPD, the agency has communicated to the committee European data protection (CEPD) the list, which is also available in English (Opens in new window) . This list, which does not preclude the rest of obligations under the data protection rules, complements the previously published by the agency containing those treatments in which it is obligatory to carry out a EIPD (Opens in new window) .

The Agency has defined it will not be necessary to perform a EIPD treatments when under guidelines contained in circular or previously decisions issued by the Control authorities, in particular the AEPD, if and when the treatment has not been modified since it was authorized.

Tampoco se requiere si el tratamiento se realiza cumpliendo con códigos de conducta aprobados por la Comisión Europea o las Autoridades de Control, siempre que ya se hubiera llevado a cabo una EIPD para validar dicho código de conducta e incluyera las salvaguardas definidas en la Evaluación de Impacto.

Dentro de los tratamientos que forman parte del listado también se encuentran, entre otros, aquellos que lleven a cabo los trabajadores autónomos que ejerzan de manera individual, en particular médicos, profesionales de la salud o abogados, sin perjuicio de que pueda requerirse cuando dichos tratamientos cumplan con dos o más criterios establecidos en la lista de tipos de tratamientos de datos que requieren EIPD; así como los obligatorios por ley y realizados con relación a la gestión interna del personal de las pymes con finalidad de contabilidad, gestión de recursos humanos y nóminas, seguridad social y salud laboral, pero nunca relativos a los datos de los clientes.

Impact assessments

The regulation states that in cases where it is likely that treatments involve a high risk for the rights and freedoms of individuals is the person responsible for processing make an impact assessment regarding data protection, to assess, in particular, the origin, nature, the particularity and severity of risk.

The AEPD has published earlier various resources to facilitate fulfilling this obligation, as the Guía para las evaluaciones de impacto en la protección de datos personales (Opens in new window) ; list of types of data treatments requiring EIPD (Opens in new window) ; Managed (Opens in new window) , una herramienta para realizar análisis de riesgos y evoluciones de impacto, o el report model for public administrations EIPD (Opens in new window) .

Original source of the news (Opens in new window)

  • Security
General access point
 
General access point