To promote the assessment of risks that threaten privacy and the protection of personal data, the CNDP is adopting the principles and guidelines, published on December 17, 2020.
–
com_redaction-28
In a press release dated December 17, the CNDP (National Commission for the Protection of Personal Data) announced the publication, “as part of its ongoing work aimed at deploying a modernized culture of data protection. personal data ”, a deliberation (n ° D-188-2020) governing data protection impact assessment (AIPD).
“This deliberation lays down the principles to be observed for the assessment of risks to privacy and the protection of personal data likely to take place following a given processing”, reads the document published by the CNDP .
The latter defines the impact analysis study relating to data protection (AIPD) as “a tool for analyzing risks on privacy”, specifying that “the principle of proportionality is applied there according to the operational contexts. and privacy requirements, approved by the supervisory authority, zero risk does not exist “.
The commission aims to “promote the principle of empowerment of the entities concerned, in order to support them in their process of identifying and evaluating situations likely to present the greatest risks to the rights and freedoms of the persons concerned”.
In this sense, the CNDP stresses that it is the data controller who is responsible for establishing the impact analysis relating to data protection. He must present it, in the event of an audit, to the authority responsible for the protection of personal data.
And when it comes to sensitive treatments, the data controller must not wait for a control to present it, he must submit it for validation, “Prior to these sensitive treatments”.
Anticipating potential regulatory changes, the CNDP aims to promote “the principle of risk analysis in the field of privacy protection”. This is why it encourages “subcontractors to formalize impact analyzes relating to data protection (AIPD) in order to simplify their clients’ files of compliance with Law 09-08. These AIPD would be referenced with the Commission, without being considered as constituting any authorization for implementation since the end customer, at this stage, remains fully responsible for the integration of the subcontractor’s system into his ecosystem ”.
In order to better explain the measures taken for the protection of personal data to the persons concerned and to facilitate their exchanges with the CNDP, the latter encourages data controllers to set up AIPD, in the case of processing presumed to include a risk of breach of the protection of privacy and personal data which fall into one or more categories listed by the CNDP.
The latter also specifies that these lists “are evolving and will be regularly updated, according to its assessment of the risks that certain transactions may present”.
The categories listed by the CNDP in its deliberation n ° D-188-2020 are: “processing operations which contravene the provisions of article 11 of law 09-08, relating to the neutrality of the effects and which make it possible to take decisions on the basis of automated processing of personal data, as well as large-scale processing of sensitive data which, under Article 1 of Law 09-08, reveals racial or ethnic origin, the political opinions, religious or philosophical convictions or trade union membership of the person concerned or which relate to his health, including his genetic data.
Also, the processing operations which allow systematic monitoring of the data subjects and those carried out within the framework of the use of innovative technological or organizational solutions.
This list also extends to processing operations carried out within the framework of compliance with a legal obligation to which the controller is subject and within the framework of the performance of a public interest mission or relating to the exercise of the public authority vested in the controller. Without forgetting the treatments carried out on the basis of a legal basis which regulates them.
–