Legal

DPIA considerations

A DPIA (Data Protection Impact Assessment) assesses the necessity of our data processing to help manage risks to the rights of people.

Introduction

This document helps you to determine if you need a Data Protection Impact Assessment (DPIA). This may be true if you tick a lot of boxes and your target audience lives in Europe. Read on to find out more.

What is a DPIA?

The GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.

DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the regulation. In other words, a DPIA is a process for building and demonstrating compliance.

Goal

Our purpose is to ensure that privacy risks are minimised while allowing the aim of a controller project to be met whenever possible.

This document provides the relevant considerations for a controller to decide whether to create a DPIA prior to implementing the services of UNLESS (the processor). If so, this document contains all processor information to perform the assessment.

Assumptions

This document was written under the assumptions that the GDPR terms and concepts are known by the reader. At least make sure to grasp the difference between the concepts of controller (the UNLESS customer) versus processor (the UNLESS service).

Source

This document has been created in accordance with the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, as adopted on 4 April 2017 and as last revised and adopted on 4 October 2017.

The Working Party who wrote the Guidelines was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, B-1049 Brussels, Belgium, Office No MO-59 03/075.

The impact of UNLESS services and the associated terminology is defined in the Data Protection Agreement of Unless. The purpose of this DPA is to reflect the agreement on the processing of personal data in accordance with data protection legislation.

DPIA criteria

In order to provide a more concrete set of processing operations that require a DPIA due to their inherent high risk, taking into account the relevant GDPR requirements, the following nine criteria should be considered. If one or more of the criteria applies, creating a DPIA may be considered.

Evaluation or scoring

Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”.

Examples of this could include a financial institution that screens its customers against a credit reference database or against an anti-money laundering and counter-terrorist financing (AML/CTF) or fraud database, or a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks, or a company building behavioural or marketing profiles based on usage or navigation on its website.

Does this require a DPIA?

“Evaluation or scoring” is not relevant by default, but may be relevant due to controller’s actions. While UNLESS is building behavioural or marketing profiles based on usage or navigation on the controller website, their impact is limited. By default, these profiles are not identifiable or used outside of the scope of the controller’s website. More importantly, to apply scoring with legal or similar effects without consent or legitimate purpose is not allowed under the law and the Unless terms and conditions.

Automated-decision making with legal or similar significant effect

Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”. For example, the processing may lead to the exclusion or discrimination against individuals. Processing with little or no effect on individuals does not match this specific criterion.

Does this require a DPIA?

This situation does not require a DPIA research. Imposing legal or similar effects without consent or legitimate purpose is not allowed under the law and the Unless terms and conditions. Also, processing with little or no effect on individuals does not match this specific criterion.

Systematic monitoring

Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area”. This type of monitoring is a criterion because the personal data may be collected in circumstances where data subjects may not be aware of who is collecting their data and how they will be used. Additionally, it may be impossible for individuals to avoid being subject to such processing in public (or publicly accessible) space(s).

Does this require a DPIA?

This is not applicable when using Unless.

Sensitive data or data of a highly personal nature

Sensitive data or data of a highly personal nature: this includes special categories of personal data (for example information about individuals’ political opinions), as well as personal data relating to criminal convictions or offences. An example would be a general hospital keeping patients’ medical records or a private investigator keeping offenders’ details.

Beyond these provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud).

In this regard, whether the data has already been made publicly available by the data subject or by third parties may be relevant. The fact that personal data is publicly available may be considered as a factor in the assessment if the data was expected to be further used for certain purposes. This criterion may also include data such as personal documents, emails, diaries, notes from e-readers equipped with note-taking features, and very personal information contained in life-logging applications.

Does this require a DPIA?

When using Unless, this criterium is not relevant by default, but may be relevant due to controller’s actions. Sensitive data is not applicable as long as the controller decides not to activate an integration with third-party data sources that contain such information.

Data processed on a large scale

Data processed on a large scale: the GDPR does not define what constitutes large-scale. The following factors may be considered when determining whether the processing is carried out on a large scale:

  1. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity.

Does this require a DPIA?

When using Unless, this is not relevant as long as the outreach of the controller website does not exceed a scale that can be deemed a large proportion of the population of a country or part of the world.

Matching or combining datasets

Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.

Does this require a DPIA?

When using Unless, matching or combining datasets is not relevant by default, but may be relevant due to controller’s actions. It’s only applicable if the controller decides to initiate integrations with third party data sources, like a CRM.

Data concerning vulnerable data subjects

Data concerning vulnerable data subjects: the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees , more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.

Does this require a DPIA?

This situation does not require a DPIA research. In general, Unless does not allow personalization for website visitors who cannot oppose or consent to this. If the actions of the controller result in an imbalance in the relationship between the position of the data subject and the controller, this may be considered as “misleading use” of the service. This is not allowed under the Unless terms and conditions.

Innovative use or applying new technological or organisational solutions

Innovative use or applying new technological or organisational solutions, like combining use of fingerprint and face recognition for improved physical access control, etc. The GDPR makes it clear that the use of a new technology, defined in “accordance with the achieved state of technological knowledge”, can trigger the need to carry out a DPIA. This is because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms. Indeed, the personal and social consequences of the deployment of a new technology may be unknown. A DPIA will help the data controller to understand and to treat such risks. For example, certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy; and therefore require a DPIA.

Does this require a DPIA?

This situation does not require a DPIA research. There are no unprecedented data collection methods involved in the services of UNLESS (like eye tracking or IOT).

When the processing prevents data subjects from exercising a right

When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”. This includes processing operations that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract. An example of this is where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.

Does this require a DPIA?

This situation does not require a DPIA research. Limiting visitors from exercising a right is not allowed under the law and the Unless terms and conditions.

UNLESS processing operations mapped to DPIA criteria

For your convenience, the following chapter lists the processing operations that Unless conducts. It shows potentially relevant criteria. In this case “relevant” means that the criterium may play a role, depending on the controller’s use case.

Documenting of publicly available request data

This are no relevant criteria applicable. The standard GDPR rules for the collection of website statistics apply: the controller must either have a legitimate purpose or ask the visitor for consent (“cookie policy”).

Build actionable visitor segments in real time

Evaluation or scoring may be relevant. We are building behavioural or marketing profiles based on usage or navigation on the controller website. However, these profiles are typically pseudonymized and only used within the scope of a controller’s website.

Adjust individual user experience for personalization and AB testing

This are no relevant criteria applicable. With regards to profiling, imposing legal or similar effects without consent or legitimate purpose is not allowed under the law and the Unless terms and conditions. Also, processing with little or no effect on individuals does not match this specific criterion.

Enrich the visitor data by integrating a third party data source

Matching or combining datasets, sensitive data or data of a highly personal nature may all be relevant, depending on the controller’s actions. By default, visitors are anonymous and there are no active integrations. Should the controller choose to use any third party integrations, assessment may be required by the controller.

Additional DPIA information

The following describes the information that is required to do a DPIA in relation to the processing activities of UNLESS for your use case. You may use it to create a report.

Systematic description of the processing

Nature of the processing

UNLESS is a service for personalization. In other words, this means that it allows you to show tailored content to specific groups of people, depending on their needs. When an online message is made specifically relevant for a specific audience, members of this audience generally have a longer attention span, show more engagement and will therefore understand the available content better. In short, personalization improves the user experience by making it more relevant to individuals.

Personal data

The personal data consists of public request information (standard data that browsers send with every page request, using the internet). See a comprehensive list here.

For further details about Processing, Data Retention and Destruction, see the Data Privacy Addendum.

Functional description of the processing operation

By segmenting website traffic into groups, UNLESS allows you to make small changes on each web page that are specific for these groups (or “Audiences”). By using words, images, testimonials and examples that are well known for each group, a website becomes much easier to navigate and consume.

The first step of this process is of course the segmentation itself, which is done by creating a set of attributes with a specific value. An example would be “referring URL” - or the address of the web page that you clicked before you entered controller’s website. The example attribute is mapped against the actual referral URL of a new visitor. If it is a match, the visitor becomes part of the audience and will see the tailored content that is associated with this audience.

Assets on which personal data rely

The controller decides which audiences to use. Once the Audience has been defined, the process is fully automated. The data passes through the following services.

The dynamic part of the system that returns audience memberships is based on the AWS API Gateway. All code is executed using serverless Lambda functions (which execute in parallel automatically for each request). The system is currently entirely duplicated across three regions: Europe, US East and US West, with the exception of our data warehouse.

All historical visitor data Unless collects is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure, eu-west-1 datacenter. Our application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The database containing visitor and usage data is only accessible from the application servers and no outside sources are allowed to connect to the database. Our data retention times are no longer than 365 days. See the Data Privacy Addendum for details.

Necessity and proportionality

For a description of the measures that are taken, contributing to the proportionality and the necessity of the processing as well as to the rights of the data subjects, see the Data Privacy Addendum and the Terms and Conditions.

Risks

For risk assessments and measures that have been taken, see Exhibit A of the Data Privacy Addendum.

Interested parties

The DPO of the controller should be involved in finalizing the DPIA.

Frequently asked questions