Does remote reading of heat meters require a data protection impact assessment (DPIA)?

ANSWER

Article 35(1) GDPR provides that where a type of processing — in particular using new technologies — is likely to result in a high risk to the rights and freedoms of natural persons by virtue of its nature, scope, context and purposes, the controller shall carry out a data protection impact assessment (DPIA) prior to processing. In its Communication of 17 June 2019, the Polish DPA (UODO) published a list of types of processing operations requiring a DPIA. Point 10 of the table concerns innovative use or application of technological or organizational solutions. The target group indicated includes energy suppliers and distributors implementing smart meters. Remote metering systems were given as examples of processing operations. In my view, in the case of remote reading of heat meters described, there will be a need to carry out a DPIA before processing begins.