Page 1

Advertisement no.
828/2019 on the register
over
processing operations
which always require
impact assessment
privacy
Page 2

Article 1

In general.

The guarantor shall in certain cases always carry out an assessment of the impact of the proposed
processing of personal data protection actions, before processing begins.

Privacy shall, according to para. Article 29 Act no. 90/2018, Coll. Paragraph 4 Article 35
the general person of the Protection Regulation (EU) 2016/679, prepare and publish a list of them
types of processing of actions that require an assessment of the impact on privacy. Such an assessment
shall be carried out before the processing of the personal data begins.

It is the opinion of the Data Protection Authority that the types of processing of personal information that
specified in Article 3. are of such a nature that they are likely to cause a great deal
risk to the rights and freedoms of individuals. This list is based on a so-called analysis
Article 29 working group of the European Union, which has been ratified by the European Union
the European Data Protection Board (EDPB), no. WP-248, as seen
has existed as a fundamental element to ensure uniform implementation within
European Economic Area.

It is the nature of a list like this that it is not exhaustive about the types of processing that
is likely to pose a significant risk to the rights and freedoms of individuals. Af
therefore, it is the responsibility of the controller to assess each and every processing
entails such a risk, whether or not specified in Article 3. or not.

Article 2

Criteria in the guidelines of Article 29 of the working group no. WP-248.

In most cases where an assessment of the impact of the proposed processing operations is required
protection of personal data, as referred to in the guidelines of Article 29. of the working group no.
WP-248, is the processing of personal data involving two or more categories
listed below. In certain cases, however, it is sufficient for the processing to fail
under one category to call for such an assessment.

1. Evaluation or grading / scoring.

Page 3

2. Automatic decision-making that affects the rights of the data subject.
3. Systematic monitoring.
Sensitive personal information or other sensitive personal information.
Extensive data processing.
6. Synchronization and integration of databases.
7. Information on persons with disabilities.
8. Processing using new technology or organizational solutions or older technology
in a new way.
9. Processing of personal information that prevents the data subject from enjoying it
rights, receive for payment, service or contract.

Article 3

A list of processing operations that always require an impact assessment on privacy.

Data collection from third parties in the context of at least one of the above
categories in Article 2.
For example, the collection and integration of personal information from third parties in order to
decide whether the registered person should be summoned, receive it, or be denied
product, service or offer. (Parties who are lame and food or
rated gift / points gift)
or systematic integration of information from remote switching devices, e.g.
location, other data, or the processing of personal information about the user's use
on the services of an electronic communications company. (We provide personal information or others
information of a sensitive nature and systematic monitoring).
Extensive systematic surveillance, including camera surveillance, in areas
open general ingi. (Systematic processing and extensive processing).
Electronic monitoring of schools or kindergartens during school / placement time. (Systematic monitoring
and people with disabilities).
4. Processing of personal information in order to assess performance, well-being or well-being
students in school or kindergarten. This applies to all levels of education, such as in
kindergartens, primary schools, secondary schools and universities. (Parties standing
sluggish legs and systematic monitoring).
5. Processing of biometric information for the purpose of identifying or confirming the identity of an individual
unequivocally, while the processing involves at least one of them
categories specified in Article 2.

Page 4

For example, extensive processing of biometric information. (Sensitive
personal information or other information of a sensitive nature and extensive
processing).
6. Processing with genetic information, at the same time as the processing relates to at least
one of the categories specified in Article 2.
For example, extensive processing of genetic information, including
sequencing of genetic contaminants. (Sensitive personal information or other information
delicate nature and extensive processing).
7. Processing of personal information which involves monitoring of work returns or behavior
employees.
For example, to monitor, systematically, employees' internet use,
their electronic communication or to monitor employees
camera surveillance. (Persons with disabilities and systematic supervision).
8. Processing of personal data where new technology or older technology is applied
in a new way, while the processing relates to at least one of the categories that
specified in Article 2.
For example, the processing of health information obtained with a new one
health technologies, such as implantable medical devices. (Processing where applied
is new technology and sensitive personal information or other information
sensitive nature).
9. Processing of personal data for the purpose of evaluating, in a systematic manner
skills, abilities, test results, mental health or development. (Sensitive
personal information or other information of a sensitive and systematic nature
monitoring).
10. Processing of personal information that takes place without the consent of the data subject
for scientific or historical purposes, in addition to the processing
at least one of the categories referred to in Article 2.
For example, the processing of health information in connection with scientific research without
consent of the data subject. (Evaluation or grading / scoring and sensitive
personal information or other sensitive information).
11. Processing of personal information for the purpose of providing services or developing products
intended for business use, where work capacity is forecast,
economic status, health, beliefs or concerns, reliability, behavior,
location or travel routes, while the processing involves at least one
of the categories specified in Article 2. (Sensitive personal information or other
sensitive information and evaluation or grading / scoring).

Page 5

Extensive processing of sensitive personal information, or others
personal information of a sensitive nature, in order to develop an algorithm. (Extensive
processing and sensitive personal information or other sensitive information
nature).
13. Extensive collection of personal information, which takes place through the "Internet
of the objects ”or solutions that monitor the condition and movement of individuals, e.g.
as a smartwatch. (Extensive processing and sensitive personal or other information
sensitive information).
14. Processing of personal information that prevents the data subject from enjoying it
certain rights or receive a facility, service or contract, in parallel with
processing relates to at least one of the categories specified in Article 2.
For example, when a financial institution looks at a person's credit rating information in it
for the purpose of deciding whether to grant him a loan facility. (Evaluation or
rating / scoring and sensitive personal or other information
of a quasi-nature).

Article 4

Entry into force, etc.

This advertisement is published on the basis of the second paragraph. Article 29 Act no. 90/2018, Coll. Paragraph 4 35.
gr. of the General Privacy Regulation (EU) 2016/679.

This advertisement will take effect immediately. At the same time, advertisement no. 337/2019 um
a list of processing actions that require an impact assessment on privacy.

On behalf of the Data Protection Authority, 29 August 2019,

Björg Thorarensen.

