Given that the new Law will introduce a risk-based approach to data processing! a written opinion on the From European practice assessment of the impact of personal data processing / assessment of legitimate interest will serve as the very first evidence: for the supervisory authority – in the event of an inspection and for the court – when appealing the decision to impose a fine.
Let me remind you that the risk-based approach
Assumes that the company does not treat all personal data processing operations equally. Instead! it makes more efforts to protect data with a higher degree of risk! which is in line with the principle of proportionality! and therefore the adequacy of the measures taken for protection and their compliance with the level of risk will be assessed precisely on the basis of the conclusion of the assessment.
The Greek Data Protection Supervisory Authority examined 99 acres data the case against the Athens Urban Transport Organization! finding! inter alia! insufficient thoroughness of the data protection impact assessment and violation of the principle of data retention limitation in the electronic ticketing system.
As a personal data controller! the transport organization processed passengers’ travel data:
when purchasing a ticket! the database stored a hashed value resulting from the combination of the passenger’s card number (or passport number or other identity document) and an 8-digit PIN code! as well as the month and year of birth and the special category of the beneficiary. Despite the From European practice fact that the passengers’ names were not indicated either on the ticket or in the database! the comparison of the above parameters made it possible to identify the “digital footprint” of a passenger who had a transport card with a specific number! which! in turn! made it possible to establish his/her travel! since information about trips michael colitti chief financial officer was stored for 20 years. This! in fact! led to the finding of a violation of the principle of data retention limitation.
In addition! the supervisory authority remained dissatisfied with the level of preparation of the risk assessment document: firstly! the latter was absent at the time of the start of the inspection! and secondly! the (obviously) hastily prepared conclusion did not contain a clear explanation of the approach used to determine the likelihood of the identified risks and their aub directory potential consequences! which allowed establishing a violation of Article 35(1) of the GDPR.
