You are here:
22 February 2019 / news

List of processing operations requiring a DPIA updated

On 25 September 2018, the European Data Protection Board (EDPB) adopted Opinion 2/2018 on the draft list of the Belgian Data Protection Authority on processing operations for which a data protection impact assessment (DPIA) is required. Following this opinion, the Belgian Data Protection Authority updated its list of DPIA processing operations.

Update of the list of processing operations for which a DPIA is required

Updated DPIA list

The Belgian Data Protection Authority points out that the list (FR/NL) in question is not exhaustive and in no way affects the general obligation of the data controller to carry out a proper risk assessment.

In addition to the cases provided for in Article 35 (3) of the GDPR, a DPIA is in the view of the Belgian regulator always required:

  1. Where the processing involves the use of biometric data for the unique identification of data subjects in a public or private place accessible to the public;
  2. Where personal data are collected from third parties in order to be subsequently taken into account in the decision to refuse or terminate a specific service contract with a natural person;
  3. When health data of a data subject are collected automatically using an active implantable medical device;
  4. When data are collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
  5. Where special categories of personal data within the meaning of Article 9 of the GDPR or data of a very personal nature (such as data on poverty, unemployment, the involvement of youth services or social work, data on domestic and private activities, location data) are systematically exchanged between several controllers;
  6. In case of large-scale processing of data generated by devices with sensors that send data via the Internet or other means (applications of the “Internet of Things”, such as intelligent televisions, intelligent household appliances, connected toys, smart cities, intelligent energy meters, etc.) and where this processing is used to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
  7. Where there is a large-scale and/or systematic processing of telephony, Internet or other communication data, metadata or data relating to the location of natural persons or leading to natural persons (e.g. wifi-tracking or the processing of passenger location data in public transport), where the processing is not strictly necessary for a service requested by the person concerned; and
  8. When it comes to large-scale processing of personal data where the conduct of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner via automated processing.

The fact that a DPIA is required does not entail that a prior consultation with the Data Protection Authority must also take place. Prior consultation will not be required if the risk can be sufficiently limited by appropriate technical and organisational measures.



Woman on her smartphone with a cup of coffee

Did your cookies policy survive the Christmas holiday?

The use of cookies is regulated by EU Directive 2002/58 on Privacy and Electronic Communications (“e-Privacy Directive”). The e-Privacy Directive applies to... read more
Valentijn De Boe and Olivier van der Haegen

Two new partners at Loyens & Loeff Belgium

Valentijn De Boe and Olivier van der Haegen have been appointed as local partners at Loyens & Loeff in Belgium with effect from 1 January 2020. Valentijn is... read more
Hakim Boularbah and Olivier van der Haegen

Hakim Boularbah and Olivier van der Haegen recognized by Who’s Who Legal Arbitration 2020

We are very proud to announce that Hakim Boularbah, Partner and Head of the International Litigation and Arbitration Practice of our Brussels office, is recommended... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Stay informed