Page 1

List of processing operations subject to protection impact assessment
personal data of the Slovak Republic 1
List of processing operations subject to protection impact assessment
personal data within the Slovak Republic (hereinafter referred to as the "list")
• serves to clarify Article 35 (2). 1 of the General Data Protection Regulation 2 ;
• is of a demonstrative nature, therefore it is necessary to proceed from Article 35 para. 1
general data protection regulation;
• is based on the criteria issued by WP 29 in WP guidelines 248 3 and opinions
EDPB no. 21/2018 4 ;
• its aim is to provide Slovak operators with a harmonized view of
processing of personal data which may have a cross-border dimension or have an impact
the free movement of personal data of the persons concerned across the European Union;
• complements and clarifies the guidelines of WP 248;
• identifies 13 processing operations.
List of processing operations with personal data that are always subject to assessment
impact on data protection are as follows:
1. Processing of biometric data of natural persons for the purpose of individual identification
natural person in conjunction with at least one of the criteria set out in WP 248.
2. Processing of genetic data of natural persons in connection with at least one criterion
referred to in WP guidelines 248.
3. Processing of location data in conjunction with at least one of the criteria listed in
WP guidelines 248.

If processing under Article 6 (1) has 1 letter (c) or (e) of the General Data Protection Regulation
the legal basis in Union law or in the law of the Member State to which the operator is subject, and that law
regulates a specific processing operation or set of given operations, and a protection impact assessment
data has already been carried out in the context of a general impact assessment in connection with the adoption of this legal basis,
Art. 35 par. Articles 1 to 7 of the General Data Protection Regulation shall not apply unless Member States consider
it is necessary to carry out such an assessment before starting processing activities.
1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC
(General Data Protection Regulation)
2

Guidelines WP 248 rev. 01 concerning the data protection impact assessment and the determination of whether
for the purposes of Regulation 2016/679, processing "likely to lead to high risk" is available
at this link:
https://www.dataprotection.gov.sk/uoou/sites/default/files/usmernenia_tykajuce_sa_posudenia_vplyvu_
na_ochranu_udajov_a_stanovenie_toho_ci_spracuvanie_pravdepodobne_povedie_k_vysokemu_riziku.pdf
4 Opinion 21/2018 on the proposed list of the competent supervisory authority of Slovakia concerning
processing operations that are subject to a personal data protection impact assessment requirement
(Article 35 (4) of the General Data Protection Regulation) is available at the following link:
https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-212018-slovakiasas-dpia-list_en (currently in English only).
3

Page 2

4. Processing operations carried out pursuant to Art. 14 of the General Protection Regulation
data.
If the information that should be provided to the data subject is subject to an exemption under Art.
14 par. 5 letter b), c) and d) of the General Data Protection Regulation, the impact assessment is
required only in conjunction with at least one of the criteria set out in WP 248.
5. Evaluation or allocation of points.
The purpose of a processing operation is to assess certain characteristics of the person concerned, whereby
its result affects the quality of the service or the possibility of providing it to the data subject.
6. Credibility assessment.
The purpose of the processing operation is to assess the credibility of the data subject
through the systematic evaluation of personal data or the evaluation of personal data
data on a large scale.
7. Solvency assessment.
The purpose of the processing operation is to assess the solvency of the data subject
through the systematic evaluation of personal data or the evaluation of personal data
data on a large scale.
8. Profiling.
The purpose of the processing operation is profiling through systematic evaluation
personal data, especially when based on an assessment of performance characteristics,
financial condition, state of health, personal preferences or interests, reliability or
the conduct, residence or movement of the person concerned.
9. Monitoring the work of the employee on the basis of serious reasons arising from the special
the nature of the employer's activity (hereinafter referred to as "processing of employees' personal data")
monitoring ”).
Due to the special nature of the processing of employees' personal data by monitoring,
which meets the criterion on the processing of data on vulnerable data subjects and the criterion
systematic monitoring, as the two criteria set out in WP 248, requires
conducting a personal data protection impact assessment.
10. Processing of personal data for the purposes of scientific or historical research
without the consent of the person concerned in conjunction with at least one of the criteria set out above
in WP guidelines 248.
11. Processing operations using new or innovative related technologies
with at least one criterion set out in WP guidelines 248.
12. Systematic camera monitoring of public spaces (in individual cities,
municipalities and carriers of urban and suburban public transport).

Page 3

13. Surveillance of persons by private detectives, resp. security services.
Criteria according to WP 248 guidelines that may be helpful in identification
cases in which processing operations are subject to an impact assessment requirement
data protection 5 :
• evaluation or award of points, including profiling and forecasting,
• automated decision-making with legal or similar binding effect,
• systematic monitoring,
• sensitive data or data of a very personal nature,
• data processed on a large scale,
• merging or combining data sets,
• data relating to vulnerable data subjects,
• innovative use or application of new technological or organizational ones
solutions,
• the processing itself prevents the data subjects from exercising their right or exercising them
service or contract.

5

WP guidelines 248, p. 10-12

