# Publication of the list
On July 8, 2019, the Announcement of the President of the Office for Personal Data Protection dated June 17, 2019 on the list of types of personal data processing operations requiring an assessment of the effects of processing on their protection was announced. A day later, a notice appeared on the DPA website. What is it about?
The announced list includes 12 categories of types of processing operations, along with examples of operations where there may be a high risk of violation of rights or freedoms, and examples of potential areas involving these operations. As a rule, processing that meets at least two of the indicated criteria will require a data protection impact assessment. In some cases, however, a data controller may find that processing that meets only one of the listed criteria will require a data protection impact assessment.
Simplifying: if a factoring company processes personal data in the manner and using the methods indicated in the list - a special internal procedure should be drawn up - or at least the need to draw up should be considered - completed with a Data Protection Impact Analysis (DPIA) of the processing.
# What examples do we find on the list - where a company is either required or should consider DPIA?
I took the liberty of pointing out examples that might apply to a factoring company:
- Assessing the financial capacity of a customer (sole proprietor) using artificial intelligence and so-called scoring machines;
- Making financing / factoring limit decisions based on information from debtor databases, or analysis of the household budget;
- Processing of location data of the sales representative - car / location / phone;
- Monitoring of employees' working time using analytics such as email;
- Use of either facial or voice/fingerprint recognition system to verify access/identity to the office;
- Use of a whistleblowing system;
- The use of RFID where tags/tags are or can be assigned to individuals;
- Customer profiling based on personal data from various sources;
# The Factor processes data as indicated above, to further?
A so-called Data Protection Impact Assessment (DPIA) may need to be conducted. The company in fact prior to the start of data processing (e.g., the launch of a scoring machine), assess the effects of planned processing operations on the protection of personal data. Such an assessment is an internal analysis that includes, among other things, a systematic description of the planned processing operations and purposes, an assessment of whether the operations are necessary to achieve the purposes, an evaluation of the risk of violation of rights or freedoms, and measures planned to manage the risk, including safeguards to ensure the protection of personal data taking into account the legitimate interests of the persons whose data will be processed.
Importantly: the controller should make an assessment with the Inspector (if appointed), and in some cases is obliged to consult the people whose data will be processed. The controller is also required to take into account industry codes. In addition, in the case of a high risk, if the controller had not taken measures to minimize the risk, the controller shall consult the supervisory authority - the President of the Office for the Protection of Personal Data - before starting the processing, who shall give written recommendations to the controller within 8 weeks of receipt of the request.
A DPIA can be prepared by a professional data protection officer, as well as lawyers specializing in data protection. Should you wish to obtain a quote for such a service, we encourage you to contact.
