You are here:
22 February 2019 / news

List of processing operations requiring a DPIA updated

On 25 September 2018, the European Data Protection Board (EDPB) adopted Opinion 2/2018 on the draft list of the Belgian Data Protection Authority on processing operations for which a data protection impact assessment (DPIA) is required. Following this opinion, the Belgian Data Protection Authority updated its list of DPIA processing operations.

Update of the list of processing operations for which a DPIA is required

Updated DPIA list

The Belgian Data Protection Authority points out that the list (FR/NL) in question is not exhaustive and in no way affects the general obligation of the data controller to carry out a proper risk assessment.

In addition to the cases provided for in Article 35 (3) of the GDPR, a DPIA is in the view of the Belgian regulator always required:

  1. Where the processing involves the use of biometric data for the unique identification of data subjects in a public or private place accessible to the public;
  2. Where personal data are collected from third parties in order to be subsequently taken into account in the decision to refuse or terminate a specific service contract with a natural person;
  3. When health data of a data subject are collected automatically using an active implantable medical device;
  4. When data are collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
  5. Where special categories of personal data within the meaning of Article 9 of the GDPR or data of a very personal nature (such as data on poverty, unemployment, the involvement of youth services or social work, data on domestic and private activities, location data) are systematically exchanged between several controllers;
  6. In case of large-scale processing of data generated by devices with sensors that send data via the Internet or other means (applications of the “Internet of Things”, such as intelligent televisions, intelligent household appliances, connected toys, smart cities, intelligent energy meters, etc.) and where this processing is used to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
  7. Where there is a large-scale and/or systematic processing of telephony, Internet or other communication data, metadata or data relating to the location of natural persons or leading to natural persons (e.g. wifi-tracking or the processing of passenger location data in public transport), where the processing is not strictly necessary for a service requested by the person concerned; and
  8. When it comes to large-scale processing of personal data where the conduct of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner via automated processing.

The fact that a DPIA is required does not entail that a prior consultation with the Data Protection Authority must also take place. Prior consultation will not be required if the risk can be sufficiently limited by appropriate technical and organisational measures.

Transfers following Schrems II: more clarity

On 11 November 2020, the EDPB published (in concept) its long-awaited recommendations concerning the transfer of personal data following Schrems II. Moreover,... read more
Data Protection Summer Dive

Data Protection Summer Dive

The Loyens & Loeff Data Protection & Privacy Team has prepared updates throughout summer to help you keep up with the latest decisions of the Belgian Data Protection... read more

Legal considerations for businesses during the coronavirus outbreak in Belgium

As the coronavirus (COVID-19) continues to impact the daily lives of people around the world, the priority for companies remains, of course, the safety of their... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Stay informed