Spain: List of specific scenarios for mandatory privacy impact assessment finally available


Article 35.1 of the General Data Protection Regulation (“RGPD”) provides that organisations processing personal data have to carry out privacy impact assessments where processing activities are likely to pose a high risk to the rights and freedoms of individuals. In particular, privacy impact assessments are aimed at identifying the activities that carry such a risk and at establishing the most appropriate control measures to minimise that risk before processing activities begin.

Until now, the criteria to determine if this risk existed, was not clear. Almost a year after the RGPD came into force, the Spanish Data Protection Agency (“AEPD”) published on 6 May 2019 an indicative list of processing activities that the AEPD considers likely to generate a high risk for the rights and freedoms of the persons whose data are processed. In particular, the more criteria on the list are met by a specific processing activity, the greater the risk involved and the greater the certainty of the need to carry out a privacy impact assessment. Thus, the AEPD has defined that a privacy impact assessment will be necessary in cases where the processing activities meet two or more criteria of the list.

The list obtained the favorable opinion of the European Data Protection Committee and is published on the AEPD’s website.