I) General Information
The current list of personal data processing operations requiring data protection impact assessment is adopted by the Commission for Personal Data Protection on the basis of Art. 35, paragraph 4 of Regulation (EU) 2016/679, after receiving opinion by the European Data Protection Board within the consistency mechanism.
The list is non-exhausting and can be updated, if necessary, following the procedure for adoption.
The purpose of the list is to assist the controllers to conduct data protection impact assessment pursuant to their obligation under Art. 35, paragraph 1 of Regulation (EU) 2016/679, whenever a specific processing is likely to result in a high risk to the rights and freedoms of the individuals, even if the processing operations are not mentioned in this list.
The list is prepared on the basis of the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is „likely to result in a high risk” for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party on 4 April 2017 and last revised and adopted on 4 October 2017, subsequently endorsed by the European Data Protection Board on 25 May 2018.
II) Types of processing operations, requiring data protection impact assessment
The controllers whose main or only place of establishment is on the territory of the Republic of Bulgaria will be required to conduct a data protection impact assessment (DPIA) in all cases when a specific processing is likely to result in a high risk to the rights and freedoms of the individuals, including in the cases foreseen in Art. 35, paragraph 3 of the Regulation, as well as when carrying out the following types of processing operations:
1. Large scale processing of biometric data for the unique identification of the individual which is not sporadic.
2. Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects him/her.
3. Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects him/her.
4. Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large scale processing.
5. Personal data processing by controller with main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria.
6. Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts.
7. Processing of personal data of children in relation to the offer of information society services directly to a child.
8. Migration of data from existing to new technologies when this is linked to large scale data processing.
