"/>

PAe - the spanish data protection agency publishes the list of treatments in which it is not necessary to make an impact assessment
accesskey _ mod _ content

The spanish data protection agency publishes the list of treatments in which it is not necessary to make an impact assessment

12 september 2019

The AEPD has developed this list to help identify those responsible to treatment in is not mandatory to conduct an impact assessment of data protection.

The spanish data protection (AEPD) has published the list of treatments of personal data which is not compulsory conducting an evaluation of impact (Opens in new window) in order to provide those responsible to identify such treatments. The General regulations on Data protection (RGPD) reflected in its article 35.1 that organizations dealing with data are obliged to carry out an impact assessment concerning data protection (EIPD) before proceeding to such treatment, when it is likely that, depending on their nature, scope, context or purposes, aiming at a high risk to the rights and freedoms of others.

Moreover, paragraph 5 of the same article provides that the supervisory authorities may publish the list of types of treatment that do not require an impact assessment. Similarly, as does the RGPD, the agency has reported to the committee of european data Protection (SPDC) the list, which is also available at english (Opens in new window) . This list, which does not excuse it from complying with the rest of the obligations established by the data protection rules, it complements the issued earlier by the Agency include those where in the treatments that it is compulsory to undertake an EIPD (Opens in new window) .

The Agency has defined that it will not be necessary to perform a EIPD when under treatment guidelines contained in or decisions issued circulars previously issued by the supervisory authorities, in particular the AEPD, provided that the treatment has not been amended since it was authorized.

Nor is required if treatment is carried out in compliance with codes of conduct adopted by the European Commission or the supervisory authorities, provided that it had already conducted a EIPD to validate such a code of conduct and to include the safeguards defined in the impact assessment.

Within the treatments that are part of the list are also, among others, those carrying out self-employed workers exercise individually, in particular doctors, health professionals or lawyers, without prejudice to that might be required when such treatment, comply with two or more criteria set out in the list of types of treatment of data that require EIPD; as well as the legal requirement and made with regard to the internal management of smes with purpose of accounting, human resources management and payroll social security and safety at work, but never relating to the customer data.

Impact assessments

The regulation provides that in those cases where it is likely that treatment aiming at a high risk to the rights and freedoms of natural persons lies with the person responsible for treatment an impact assessment concerning data protection, to assess, in particular, the origin, nature, the particularity and severity of risk.

The AEPD has published earlier various resources to facilitate the implementation of this obligation, as the Guide for impact assessments to the protection of personal data (Opens in new window) ; list of types of treatment of data that require EIPD (Opens in new window) ; Managed (Opens in new window) , a tool to perform analysis of risks and impact assessments, or report of EIPD for public administrations (Opens in new window) .

Original source of news (Opens in new window)

  • Security