This post is also available in: Español

Article 35.1 of the General Data Protection Regulation (“GDPR”) requires controllers that process data to perform a Data Protection Impact Assessment (“DPIA”) prior to any processing that may present a risk to the rights and freedoms of individuals, giving national data protection agencies the ability to publish a list of those specific processing operations that do not require a DPIA.

After the publishing last May by the Spanish Data Protection Agency (“AEPD”) of a non-exhaustive list of personal processing operations subject to DPIA, the AEPD has just published a note containing a list –again, non-exhaustive– of those processing operations for which no DPIA is required.

In its list, the Spanish Data Protection Agency includes seven cases in which, a priori and insofar as certain conditions are fulfilled, they would be exempt from performing a DPIA. Among them, the following are worth mentioning:

  • Processing operations performed, within the framework of their profession, by self-employed workers who exercise their profession individually (e.g., physicians and attorneys), without prejudice to the fact that these may be required when it becomes necessary again
  • Processing operations carried out by homeowners’ associations and sub-associations;
  • Processing operations required by law in relation to the management of SME staff but never regarding customers; and
  • Processing operations performed by not-for-profit professional bodies and associations –within the strict exercise of their tasks– of the (non-sensitive) personal data of their members and donors.

All other processing operations not subject to DPIA can be seen here.

In any event, the Spanish Data Protection Agency reiterates that not performing a DPIA must be sufficiently substantiated, and it emphasizes the need to comply with all other obligations required by applicable data protection legislation.

This post is also available in: Español



97 artículos

Jorge Monclús