The spanish data protection (AEPD) has published the list of treatments of personal data which is not compulsory conducting an evaluation of impact in order to provide those responsible to identify such treatments. The General regulations on Data protection (RGPD) reflected in its article 35.1 that organizations dealing with data are obliged to carry out an impact assessment concerning data protection (EIPD) before proceeding to such treatment, when it is likely that, depending on their nature, scope, context or purposes, aiming at a high risk to the rights and freedoms of others.
Moreover, paragraph 5 of the same article provides that the supervisory authorities may publish the list of types of treatment that do not require an impact assessment. Similarly, as does the RGPD, the agency has reported to the committee of european data Protection (SPDC) the list, which is also available at english . This list, which does not excuse it from complying with the rest of the obligations established by the data protection rules, it complements the issued earlier by the Agency include those where in the treatments that it is compulsory to undertake an EIPD .
The Agency has defined that it will not be necessary to perform a EIPD when under treatment guidelines contained in or decisions issued circulars previously issued by the supervisory authorities, in particular the AEPD, provided that the treatment has not been amended since it was authorized.
Nor is required if treatment is carried out in compliance with codes of conduct adopted by the European Commission or the supervisory authorities, provided that it had already conducted a EIPD to validate such a code of conduct and to include the safeguards defined in the impact assessment.
Within the treatments that are part of the list are also, among others, those carrying out self-employed workers exercise individually, in particular doctors, health professionals or lawyers, without prejudice to that might be required when such treatment, comply with two or more criteria set out in the list of types of treatment of data that require EIPD; as well as the legal requirement and made with regard to the internal management of smes with purpose of accounting, human resources management and payroll social security and safety at work, but never relating to the customer data.
The regulation provides that in those cases where it is likely that treatment aiming at a high risk to the rights and freedoms of natural persons lies with the person responsible for treatment an impact assessment concerning data protection, to assess, in particular, the origin, nature, the particularity and severity of risk.
The AEPD has published earlier various resources to facilitate the implementation of this obligation, as the Guide for impact assessments to the protection of personal data ; list of types of treatment of data that require EIPD ; Managed , a tool to perform analysis of risks and impact assessments, or report of EIPD for public administrations .