Can a public administration unit rely on Article 35(10) GDPR not to carry out a data protection impact assessment for processing under Article 6(1)(c) GDPR?

ANSWER

A public administration unit may not carry out a data protection impact assessment under Article 35(10) GDPR for processing operations that are not expressly listed in the Communication of the President of the Personal Data Protection Office of 17 August 2018 on the list of types of personal data processing operations requiring a data protection impact assessment. Such communication was issued under Article 54 of the Personal Data Protection Act. It is available at: https://uodo.gov.pl/pl/123/212 (access: 19 August 2019). The published list contains 9 categories of types of processing for which a data protection impact assessment will be mandatory. Therefore, for the processing operation types listed there, a DPIA must mandatorily be carried out, while in other cases the data controller may consider not carrying out the assessment under Article 35(10) GDPR.