When are a DPIA and balancing test required for monitoring and data processing?

ANSWER

When the legal basis for data processing within monitoring is Article 6(1)(f) GDPR, i.e. the controller's legitimate interests, a balancing test must be carried out. Under the cited provision, personal data processing cannot be based on this ground in situations where the interests or fundamental rights and freedoms of the data subject requiring protection of personal data override the interests of the controller. The balancing test serves to examine this relationship and determine whether the interests or fundamental rights and freedoms of the data subject override the interests of the controller.

Helpful materials in this regard include, for example: /narzedzia/kalkulator-test-rownowagi

When it comes to a DPIA, i.e. a data protection impact assessment, it must be carried out when a given type of processing — in particular using new technologies — by virtue of its nature, scope, context and purposes is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 GDPR). In the case of employee monitoring, the need to carry out a DPIA arises primarily from the fact that employees are data subjects requiring special protection and from their systematic monitoring. Two of the nine factors increasing the likelihood of breaches are therefore met, which in principle, according to the Article 29 Working Party guidelines, indicates the need to carry out a DPIA. Within the data protection impact assessment, the controller has an opportunity to identify gaps and risks related to data processing for the process under analysis.

Helpful materials in this regard include, for example: /wiedza/blog/ocena-skutkow-dla-ochrony-danych-dpia-bezplatny-formularz