23. maj 2017
KL's høringssvar vedr. Artikel 29-gruppens Guidelines om konsekvensanalyser
Artikel 29-gruppen har på et møde den 4. og 5. april 2017 i Bruxelles vedtaget en ny vejledning (guideline) om databeskyttelsesforordningens artikel 35 om udarbejdelse af databeskyttelseskonsekvensanalyser (data protection impact assesment/DPIA).
KL har den 23. maj 2017 afgivet følgende høringssvar til artikel 29-gruppen:
Comments on Guidelines on Data Protection Impact Assessment (DPIA)
Local Government Denmark welcomes the opportunity to comment on "Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679" from The Article 29 Data Protection Working Party.
Local Government Denmark wishes to express concern about the extend to which the Guidelines expand the obligations and tasks of the municipalities in their role as controller.
In our point of view carrying out DPIAs is only one of many ways for the controller to secure data and comply with the GDPR, and setting up administrative practices to implement DPIAs should balance the GDPR´s risk-based approach. Our concerns apply to e.g.:
- The list of processing operations that require a DPIA includes almost all operations in the public sector, especially concerning the fact that most operations include citizens receiving some sort of service from the municipalities and therefore contain a power imbalance between the data controller and the data subject.
- Carrying out a DPIA continuously on excisting processing activities, including a 3 years re-assessment will require enormous ressources, taking into account that a medium size Danish municipality has approximately 300-400 data processing systems.
- The understanding that carrying out a DPIA is an on-going process is opposed to Article 35(10), according to which a DPIA can be carried out as part of the (one time) establishment of Member State law. Most data processing activities carried out in the Danish municipalities are based on legislation.
- Seeking the view of data subjects including staff representatives and customers/citizens and documenting if the views of the data subjects are not taking into account.