The Spanish Agency of data protection (AEPD) has published the list of treatments of personal data which is not compulsory the realization of an impact assessment with the aim of facilitating those responsible for the identification of this kind of treatments. The General Regulation of data protection (RGPD) is article 35.1 that organizations seeking data are forced to make an impact assessment regarding data protection (EIPD) before making those treatments when it is likely that, according to its nature, scope, context or purposes, pose a high risk for the rights and freedoms of individuals.
Por otra parte, el apartado 5 del mismo artículo establece que las autoridades de control podrán publicar la lista de los tipos de tratamiento que no requieren una evaluación de impacto. Asimismo, y como contempla el RGPD, la Agencia ha comunicado al Comité Europeo de Protección de Datos (CEPD) el listado, que también se encuentra disponible en English . This list, which does not preclude the rest of obligations under the data protection rules, complements the previously published by the agency containing those treatments in which it is obligatory to carry out a EIPD .
The Agency has defined it will not be necessary to perform a EIPD treatments when under guidelines contained in circular or previously decisions issued by the Control authorities, in particular the AEPD, if and when the treatment has not been modified since it was authorized.
Nor is required if the treatment is duly performed with codes of conduct adopted by the European commission or supervisory authorities, provided that had already been carried out a EIPD to validate this code of conduct and include the safeguards defined in the impact assessment.
Within the treatments that form part of the list also include, among others, those who carry out self-employed workers exercising individually, including doctors, health professionals or lawyers, without prejudice that may be required when those treatments comply with two or more criteria in the list of types of data treatments requiring EIPD; as well as required by law and made regarding the internal management of SMEs with purpose of accounting, human resource management and payroll, social security and occupational health, but never concerning data from customers.
The regulation states that in cases where it is likely that treatments involve a high risk for the rights and freedoms of individuals is the person responsible for processing make an impact assessment regarding data protection, to assess, in particular, the origin, nature, the particularity and severity of risk.
The AEPD has published earlier various resources to facilitate fulfilling this obligation, as the Guía para las evaluaciones de impacto en la protección de datos personales ; list of types of data treatments requiring EIPD ; Managed , una herramienta para realizar análisis de riesgos y evoluciones de impacto, o el report model for public administrations EIPD .