European Union: Adopted EDPB Opinion 6/2024 on the draft list of the Latvian SA on processing operations exempt from the data protection impact assessment requirement

On 16 April 2024, the European Data Protection Board (EDPB) adopted its Opinion 6/2024 on the draft list of the Latvian supervisory authority (SA) on processing operations exempt from the data protection impact assessment requirement, pursuant to Article 35(5) of the EU General Data Protection Regulation (GDPR). In compliance with Articles 35(6) and 64(2) GDPR, the EDPB has to issue an opinion when a SA intends to adopt a list of processing operations not subject to the requirement for a data protection impact assessment pursuant to Article 35(5) GDPR. The aim of the opinion is to create a harmonised approach to data processing that is cross border or that can affect the free flow of personal data or natural person across the EEA. Data protection impact assessments are only mandatory for controllers pursuant to Article 35(1) GDPR, where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The national SAs can issue lists concerning certain processing activities which always require a data protection impact assessment ('blacklists') per Article 35(4) GDPR, as well as lists where no data protection impact assessment is necessary per Article 35(5) GDPR ('whitelists'). The EDPB concluded that the draft list of Latvian SA may lead to an inconsistent application of Article 35 GDPR and recommends restricting the scope of of the processing in several contexts, including human resources, the management of multi-apartment residential buildings, and processing carried out by an association, foundation, religious organisation or political party.