Data Protection Impact Assessments – National Requirements in Finland and Sweden
26 February 2019
Authors: Erkko Korhonen, Anton Pirinen and Caroline Sundberg
When the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, the General Data Protection Regulation (“GDPR”) requires that a Data Protection Impact Assessment (“DPIA”) be conducted. Furthermore, the GDPR provides national data protection authorities with the competence to decide, within the scope of the leeway provided by the GDPR, which personal data processing operations are subject to the requirement of a DPIA in their respective Member States. The Finnish Office of the Data Protection Ombudsman (“Finnish Supervisory Authority”) and the Swedish Datainspektionen (“Swedish Supervisory Authority”) have recently used their powers in this regard.
On 21 December 2018, the Finnish Supervisory Authority published a non-exhaustive list of processing operations which are subject to a DPIA. In addition, the Swedish Supervisory Authority published a corresponding list on 16 January 2019. Both lists reflect the Working Party 29’s guidelines on DPIA (“Guidelines”), including the nine criteria contained therein, which should be considered in determining whether processing is likely to result in a high risk for the purposes of the GDPR.
Based on the Guidelines, a DPIA would in most cases be required if two of the below criteria are met:
- Personal data is processed for the purpose of evaluation or scoring.
- Personal data is processed for the purpose of automated decision-making with legal or similar significant effect.
- Data subjects are systematically monitored.
- Sensitive personal data or personal data of a highly personal nature is processed.
- Personal data is processed on a large scale.
- Datasets are matched or combined.
- Personal data concerning vulnerable data subjects is processed.
- New technological or organisational solutions are used or applied innovatively.
- The processing may prevent data subjects from exercising a right or using a service or a contract.
According to the Swedish list, a DPIA is compulsory if the processing operation meets at least two of the criteria specified in the list, which reflect the above nine criteria of the Guidelines. The Swedish Supervisory Authority also provides examples of processing operations which fulfil the criteria. For example, a health or medical care provider’s processing of personal data (unless done only on a small scale), the provision of smart home products, or the introduction of a whistleblowing system would require a DPIA.
The Finnish Supervisory Authority has also included whistleblowing systems in their list of processing operations that require a DPIA. Based on the Finnish list, a DPIA must also be conducted, for example, when location data is processed in conjunction with one of the nine criteria provided by the Guidelines, for instance when location data is processed for the purpose of automated decision-making with legal or similar significant effect or when the processing reveals sensitive data or data of a highly personal nature. Furthermore, a DPIA must be conducted when personal data is collected from a source other than the individual without providing them with a privacy notice in accordance with Article 14(5) of the GDPR and when such data is processed in conjunction with at least one of the nine criteria provided by the Guidelines.
Interestingly, even though both lists are based on the Guidelines, the Finnish and the Swedish Supervisory Authorities have not used their powers in a uniform manner, which has often been the case with the transposition of EU law in Finland and Sweden. The Swedish Supervisory Authority has opted to complement and specify the criteria of the Guidelines by altering their application and providing a list of examples where a DPIA must be carried out in that context. In contrast, the Finnish Supervisory Authority has adopted a different approach and provided a relatively straightforward list of specific processing operations which require a DPIA.
The above discrepancies may cause challenges for companies operating in the Nordic market. For example, with respect to certain processing operations, a DPIA might be mandatory in Sweden, but not in Finland. We believe that our cross-border Technology team is in a unique position to help companies navigate the DPIA requirements in the Nordic countries, and our team will be happy to assist with any questions relating to them.