Belgian Data Commissioner Issues GDPR White List and GDPR Black List for Processing Operations

The Belgian Commission for the Protection of Privacy has created a set of recommendations which outline the way in which to the General Data Protection Regulation (GDPR).

On May 25, 2018, the GDPR will enact its plan to protect the personal data of all EU citizens—no matter where they are living.

Specifically the Belgian Commission’s recommendations focus on Data Protection Impact Assessments (DPIAs). The Commission has published a Black List and a White List of processing operations.

Every company who employs and/or does businesses with EU citizens must decide whether their organization needs to have a DPIA. The DPIA would be used

GDPR mandates that each business must have a Black List of processing operations. These are ones which MUST have a DPIA.

A White List enumerates processing operations NOT included and thus not requiring a DPIA. The Belgian Commission notes in its Black List:

Processing involving biometric data uniquely identifying in a space—public or private—which is publicly open. Personal data from a third party that determines whether the individual is hired or fired, accepted or denied.

Information collected in a form not agreed upon by the data collected (e.g. electronic devices like smart phones, auditory, and/or video devices).

Personal data collected from a third party may negatively affect health and/or finance of an individual. Data used for purposes not agreed upon by the individual whose personal data is being or has been collected.

Processing done by medical implant. This data may be an infringement of rights and freedoms and/or could pose a health risk.

Personal data affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals). Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.