Page 1

Document
signed by
Krzysztof Madej
Date:
2019.07.08
15:23:15 CEST

POLISH MONITOR

OFFICIAL JOURNAL OF THE REPUBLIC OF POLAND
Warsaw, July 8, 2019
Item 666
MESSAGE
THE PRESIDENT OF THE PERSONAL DATA PROTECTION OFFICE
of June 17, 2019
on the list of types of personal data processing operations requiring a processing impact assessment
for their protection
Based on Article. 54 sec. 1 point 1 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws, item 1000 and 1669
and of 2019, item 730) in connection with Art. 35 sec. 4 and 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data and in the matter
the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation)
(Journal of Laws UE L 119 of 04.05.2016, p. 1 and L 127 of 23.05.2018, p. 2) it is hereby announced as follows:
1) the list of types of personal data processing operations requiring an impact assessment is published
for their protection, as referred to in art. 35 sec. 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) - the list is specified in the attachment to the communication;
2) the list referred to in point 1 repeals the statement of the President of the Personal Data Protection Office of
17 August 2018 on the list of types of personal data processing operations requiring an impact assessment
processing for their protection (MP item 827), a list not including processing activities related to
providing goods or services to data subjects or monitoring their behavior in several countries
member states of the European Union.

President of the Personal Data Protection Office: J. Nowak

Page 2
Polish Monitor

-2-

Item 666
Annex to the announcement of the President of the Data Protection Office
Personal of June 17, 2019 (item 666)

LIST OF TYPES OF PERSONAL DATA PROCESSING OPERATIONS
REQUIRING AN EVALUATION OF THE PROCESSING
EFFECTS ON THEIR PROTECTION
PROTECTION
The list below contains the types of processing operations that, in the opinion of the Office for Personal Data Protection
require a data protection impact assessment. This list has been compiled as part of the obligation
imposed on the Personal Data Protection Office pursuant to Art. 35 sec. 4 of Parliament's regulation
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and on the free movement of such data, and
repealing Directive 95/46 / EC (General Data Protection Regulation) as a Polish supervisory authority.
This list does not release the controller from the obligation to analyze all processing operations
based on a full data protection impact assessment pursuant to Art. 35 sec. 1 of the regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons
individuals with regard to the processing of personal data and on the free movement of such data
data and repealing Directive 95/46 / EC (General Data Protection Regulation). The list was
based on the guidelines of the Article 29 Working Party (WP 248) “Guidelines for evaluation
data protection implications, and helping to determine whether processing is likely to result in high
the risk “for the purposes of Regulation 2016/679”. This list complements and specifies the above guidelines.
As a rule, processing that meets at least two of the criteria listed below will require
data protection impact assessments. In some cases, however, the data controller may find that
processing that meets only one of the criteria listed below will need to be carried out
data protection impact assessments. The more criteria the processing meets, the more
there is likely a high risk of violating the rights or freedoms of data subjects,
and consequently, regardless of the measures envisaged by the administrator to be applied, it is required
there will be a data protection impact assessment.
The Office for Personal Data Protection emphasizes that each of the examples of areas of application is specific
purely illustrative, and consequently "Examples of operations / scope of data / circumstances in which
there may be a high risk of a breach for a given type of processing operation ”are not
exhausting. The examples in the list are only intended to help you better understand
criteria / types of operations that may trigger an impact assessment for
data protection.
This list is without prejudice to the general obligation of the administrator to make an appropriate assessment
risk and risk management. Also, carrying out a data protection impact assessment does not exempt
controller with other duties specified in the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) and the obligations set out in other relevant
regulations.
I. Types / criteria for

II. Potential areas of occurrence / existing

III. Operation / scope examples

processing operations, for
which is required

application areas

data / circumstances in which it may occur
high risk of a breach for a given type

conducting the assessment

processing operations

1. Evaluation or evaluation,

Social media, marketing companies,

Profiling portal users

including profiling

headhunting companies

social and other applications for the purpose

and prediction (analysis
behavioral) for purposes
causing negative
legal and physical effects,
financial or other

sending commercial information
Banks, other authorized financial institutions

Credit Score Using

for lending, loan institutions
in the creditworthiness assessment process

artificial intelligence algorithms, covered
duty of secrecy and request
disclosure of non-direct data

inconvenience to people
physical

in connection with the assessment of creditworthiness
Insurance companies - offering discounts

Assessment of lifestyle, eating, driving, method

related to lifestyle (cigarettes, alcohol,
extreme sports, car driving style)

spending time, etc. of natural persons in order to, e.g.
increasing the price of the insurance premium for them,
on the basis of this assessment, called generally
optimization of the insurance premium

Page 3
Polish Monitor

-3-

Item 666

Insurance companies - e.g. more favorable

Indirect profiling (assessment of a person based on

insurance or credit offers for

belonging to a specific group)

employees of specific groups, e.g. administration
public, teachers
2. Automated
decision-making

Roads covered by the segmental speed measurement
(the system collects information not only

Monitoring systems used

causing effects

about violating vehicles, but

legal, financial or
similar significant effects

about all vehicles that show up
in the controlled area), road sections

supervision of the driver and his behavior on
road, in particular systems that allow

for traffic management, enabling detailed

equipped with an electronic collection system

automatic vehicle identification
Automatic toll collection systems

viaTOLL fees

entry

Online stores offering promotional prices

Customer profiling systems for

for specific customer groups.
Companies that operate loyalty programs

identifying shopping preferences,
automatic setting of promotional prices

(purchasing communities)

based on the profile

Marketing programs containing items

Monitoring purchases and purchasing preferences

profiling people

(e.g. alcohol, sweets)

3. Systematic

Means of public transport, cities offering

Monitoring of people using the services

monitoring to a large extent

bicycle and car rental systems

in public space, with the use of

the scale of places available
publicly exploiting

and designating paid parking zones

data going beyond the necessary data
to provide these services

recognition elements

Workplaces (system monitoring

Employee working time monitoring systems

characteristics or properties
objects that will appear

IT electronic mail,
used software, access cards
e.t.c.)

and the flow of information in use

in monitored
space. To this group

by them tools (e-mail,
Internet)
Criterion: systematic monitoring ( see WP
249 1 ) + sensitive data subjects

systems are not counted
monitoring systems
vision in which the picture

Processing of information obtained by

Collection and use of data by

Internet of Things (medical bands, smartwatches

applications installed on mobile devices,

is being recorded

etc.) and their transmission over the network using
mobile devices such as a smartphone or tablet

including integrated devices
with a uniform, helmet or otherwise

and only used
in case of need

connected with the person retrieving the data

incident analysis

Machine communication systems -

Follow-up vehicle monitoring systems

violations of the law

the machine in which the car informs

connections with the environment, including others

the environment about their behavior (movement)
and in the event of an emerging threat

vehicles

receives from this environment (infrastructure
road, other cars) announcements
warning signs
Opinion of the European Economic and
-Social on
radio frequency identification (RFID) (2007 / C 256/13)
Hospitals / Research Organizations
clinical.

Systems using RFID where
tags / labels are or can be assigned
natural persons
Patient / customer health data

Fitness clubs / entities / collecting organizations
genetic material for research

4. Processing

Political parties, election committees, committees

Processing by state authorities or

specific categories

referenda and legislative initiatives,

private entities of personal data

personal data
and concerning judgments

social organizations, election campaigns

regarding party affiliation and / or
electoral preferences

convictions and deeds
forbidden (data

Telecommunications operators; suppliers
utilities (electricity, gas, water) in the range

Regular processing of measurement data
enabling observation of lifestyle,

sensitive according to WP 29)

smart metering - Recommendation
2012/148 / EU of the European Commission of March

movement in the field, intensity
use of utilities, energy, etc. (e.g. data

2012 on preparations
for the dissemination of intelligent systems

geolocation, data from intelligent
metering meters on the energy consumed,

measuring

communication billing data
electronic etc.)

1 Opinion

2/2017 on data processing in the workplace (08/06/2017).

3

Page 4
Polish Monitor

-4-

Item 666

Electronic mail services; systems
monitoring of sports achievements

Internet services and other IT systems
offered to natural persons for processing

cooperating with fitness bands
using cloud computing; apps

information covering activities of nature
purely personal or household (such as services

supplied by reader manufacturers

cloud computing for management

electronic for the purchase of books, newspapers
electronic devices with note-taking functions, etc.

personal documents, mail service
electronic, calendars, e-readers equipped
with note-taking functions and various applications
life-logging type they may contain
information of a very personal nature),
whose disclosure or processing for purposes
other than domestic activities
can be considered very intrusive
in privacy

5. Data processing

Face recognition systems, verification

Entrances to specific areas, rooms or

biometric only

workplace identity for inspection

to identify a person
physical or for control purposes

access, identity verification

gaining access to a specific account
in the IT system for the purpose of e.g. execution

in devices / applications (incl

transaction orders in the ICT system

access

voice, fingerprint and face recognition);

or cash withdrawals using an ATM, etc.

monitoring systems for specific entrances
premises; accounting and
- registration of banking and commercial operations,
insurance; entry control systems to
fitness clubs, hotels, etc.
6. Data processing

Laboratories / Companies / Hospitals offering

Medical diagnosis

genetic

genetic diagnostics

DNA tests
Medical studies

7. Data processed on

Central system:

large-scale where the concept
large scale concerns:

- educational information;

• the number of data subjects

- servicing of motor insurance;

are processed,
• the scope of processing,

- professional qualifications, etc.

depending on their role and related tasks
with the performance of these obligations

• storage period
data and

Social networks, browsers

Collecting a wide range of data

Internet, cable TV service providers,

about the websites viewed,

• geographic scope

subscription services with movies and programs
available on devices

purchases / purchase history,
TV programs watched or

with internet access

radio etc.

8. Conducting

Marketing firms extracting data from various

Combining data from different state registers

comparisons, evaluation or

sources where personal data occurs
about clients for the purposes of carrying out

and / or public

processing

inference based on
analysis of obtained data
from various sources

Central supporting data sets
managing a specific group of people for goals
related to the implementation of public tasks,
from which data are made available to a different extent

- information in higher education;

targeted at specific customer groups
marketing campaigns
Marketing companies for improvement i

Creation of profiles of people from datasets

expanding the profiles of potential customers, and
improving advertising services targeted at

from different sources (pooling)

specific social groups;
companies operating loyalty programs
(purchasing communities)
Social networks, commercial networks, companies

Collecting data about the pages viewed,

marketing, banks and financial institutions

performed banking operations, purchases
in online stores and their subsequent analysis
to create a person's profile

9. Data processing
about people whom

Job sites that they do
matching offers to specific preferences

Processing of data in which it is carried out
classification or assessment of data subjects,

evaluation and the services provided to them
employers

in terms of e.g. age, gender, and then

are addicted to
entities or persons that

these classifications are used for the presentation
offers or other activities that may have an impact

have powers

on the rights or freedoms of data subjects

supervisory and / or evaluation

processed
Systems for reporting irregularities

Systems for reporting irregularities

(whistleblowing)

(related to e.g. corruption, mobbing) in particular when data is processed in it
employees

4

Page 5
Polish Monitor

-5-

Item 666

10. Innovative

Media vendors and distributors

Remote metering systems that, taking

use or

(electricity, gas, water, telecommunications services)

take into account the scope and frequency of data collection,

application of solutions
technological or

implementing smart meters

enable profiling of people or groups of people

Data processing websites

Data analysis and processing systems

organizational

from devices such as the Internet of Things, e.g. cameras
with photo functions

in metadata, e.g. photos
provided with geolocation data

location-based (GPS)
Application of communication between devices

Systems used for analysis and reporting

(Internet of Things - e.g. beacons, drones)
in public spaces and places

data to service providers using the application
mobile from mobile devices such as:

public utility

smartwatches, smart bands, beacons, etc.
analyzing and transferring data to suppliers at
using mobile applications

11. When the processing of the same
in itself makes it impossible

Applications with communication functions
and replacement software

The use of devices equipped with various
the type of interfaces (speaker, microphone, camera) and

information with the immediate surroundings and remotely

software and communication system enabling

through the telecommunications network

transmission of data via networks
telecommunications

Interactive toys

Services and toys dedicated to children

Specialist advice and consultation

Telemedicine consultations with centers outside the EU,

medical, clinical trials of a range
international

transfer of personal medical data

Entities granting loans and credits, and
offering installment sale

Making a credit decision in relation to
potential customers based on the information

with an international scope

people whose data

contained in databases containing information

concern, exercise
rights or use

about debtors or similar databases
Online stores and providers of other services

Making the possibility of using the service dependent on

from a service or contract

games, music, lotteries, etc.

information on income, amount of expenses
monthly and other collected values
as a result of profiling

12. Data processing

Devices, applications and platforms that use

Processing that uses location tracking

localization

Internet of Things.

a natural person (including communication networks

Data processing in the context of work

and communication services, pointing to the geographic location

at home and remotely.

the position of telecommunications equipment terminals

Processing of location data

user of a publicly available service

employees

telecommunications)

5

