"WHITE LIST" Draft - Data Protection Authority envisages far-reaching exceptions to data protection impact assessments


"WHITE LIST" Draft - Data Protection Authority envisages far-reaching exceptions to data protection impact assessments

2018, April 27

Recently, the Data Protection Authority circulated a first draft regulation on exemptions from the obligation to draw up a data protection impact assessment ("white list"). Accordingly, in particular existing standard applications as well as already registered data processing activities requiring prior control should not be obliged to an impact assessment. This would at least clarify the area of standardised and pre-approved processing. However, the Austrian White List still needs to be coordinated with the other European data protection authorities. A final version is not expected until after May 25, 2018.

According to Art 35 GDPR, all controllers are obliged to prepare a data protection impact assessment and to update it on a regular basis if the actual processing is likely to involve a high risk for the data subjects. As the requirement for an impact assessment is often difficult to assess in practice, Article 35(5) of the GDPR allows data protection authorities to draw up a list of processing operations for which a data protection impact assessment ("PIA") is not required ("white lists"). In addition, data protection authorities have to draw up a list of data applications for which an impact assessment must be carried out ("black lists"). This should give legal practitioners greater clarity in their interpretation.

The Austrian data protection authority is now making use of its authority to prescribe the White List in a first draft. It specifies the processing operations for which the authority does not usually see a high risk for the data subjects and for which therefore no comprehensive PIA is required. The promised - but not yet final - list of exceptions is quite comprehensive from the point of view of the legal users and covers above all standardized data processing activities.

Specifically, the draft Regulation of the Data Protection Authority exempts the following processing operations from the obligation to carry out a data protection impact assessment:

1. The specific processing activities stated in the list of exceptions to the Regulation. These are mainly the previous standard applications of the Standard and Model Ordinance. However, the wording and access has been adjusted a bit: Thus, instead of the previous limitation to very specific data types, the white list now only contains a general description of the purpose of the respective processing activities. This means that the exceptions are not as rigid as before, but can be interpreted according to their telos. Among the 21 data applications in the list of exceptions, the following are of particular interest:

  • Customer management, accounting, logistics, bookkeeping
  • Personnel administration
  • Customer Care and Marketing
  • Access and access control
  • Video surveillance (in particular limited to own property, maximum of 72 hours retention time and appropriate labelling) Scientific research and statistics
  • File management (including storage of accrued documents)

2. Furthermore, processing activities based on previous standard applications of the Standard and Model Ordinance are explicitly excluded, provided that "no significant changes" are made after 25 May 2018. This sets the status quo in stone. If adjustments are made to the standard applications, you must then check whether processing is covered by the new list of exceptions (see point 1) or whether a PIA still has to be carried out.

3. In addition, no impact assessment is required for data applications registered before 25.5.2018 and that were subject to ex ante control by the data protection authority. This was one of the most important demands of the DORDA data protection experts. What has already satisfied the strict eye of the data protection authority on the basis of the Austrian Data Protection Act, also has to be compliant with the GDPR. Anticipating this development, the DORDA data protection experts have advised clients until the very end to submit reports requiring prior monitoring even for the short remaining period of the DPA 2000 in order to obtain confirmation of data protection compliance from the authorities. Those who have followed this approach will now be rewarded with this facilitation for creating a PIA. In practice, the exception will now be particularly relevant for registered video surveillance systems. Here too, however, the obligation to carry out an impact assessment will take effect as soon as "significant changes" in data processing take place in the future. In practice, therefore, a question of interpretation of the materiality threshold arises here. In case of changes to processing activities already approved by the data protection authority, an impact assessment is therefore advisable when in doubt.
The White List provides clarity particularly for the usual core processing activities and for processing activities already examined by the data protection authority. I am pleased that, according to the draft regulation, no impact assessment is required for the area of personnel management, which is highly relevant in practice. Further clarity on the scope of the impact assessment will be provided by the forthcoming black list - i.e. the list of processing operations which in any case require a PIA.

It remains to hope that the planned exemption regulation will not change significantly in the European vote either. The DORDA data protection experts are cautiously optimistic here, since the previous standard processing methods were also privileged under the old data protection regime and have already sent signals to other jurisdictions in the direction of recognising old authority decisions. We have to hope that this spirit will also continue with regard to the question of the validity of declarations of consent validly obtained in the old legal environment.


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.