Audit modelPre-DPIA tool based on the GEB/DPIA VTC criteria list

Does the processing involve biometric data used to uniquely identify individuals in public spaces or publicly accessible private spaces, including educational institutions and (other) premises of Flemish administrative authorities?

Is there large-scale processing and/or systematic monitoring of individuals' location data, or data that could be used to locate them (e.g., by scanning cars, navigation systems, or phones, or by processing public transport passengers' location data)?

where special categories of personal data within the meaning of Article 9 of the GDPR310, as well as personal data concerning criminal convictions or offenses within the meaning of Article 10 of the GDPR or data of a highly personal nature (such as financial data and data on income and assets, unemployment, participation in youth or social activities, data on domestic and private activities, location data) are systematically exchanged between multiple controllers.

when there is large-scale and/or systematic processing of telephone, internet, or other communication data, metadata, or location data from or traceable to natural persons (e.g., Wi-Fi tracking or processing of location data of public transport travelers) when the processing is not strictly necessary for a service requested by the data subject. TELECOM [criteria 3, 5, and 8];

when there is large-scale and/or systematic monitoring of publicly accessible areas using cameras, webcams, or drones, as well as the reuse or sharing of such footage or derived information. CAMERA FOOTAGE [criteria 3 and 5];

when there is processing involving blacklists: processing of personal data concerning criminal convictions and offenses, data on unlawful or disruptive behavior, or data on poor payment behavior, with the aim of enabling decisions that have legal consequences for the data subjects or that significantly affect them otherwise (blacklists or warning lists, such as blacklists related to unlawful behavior of employees, for example in healthcare, or disruptive behavior of tenants in social housing. BLACKLISTS [criteria 4, 6, 7, 8];

when large-scale non-pseudonymized data of children and youth are collected or their non-pseudonymized data are systematically exchanged between multiple controllers, and not all collection or exchange purposes are educational. CHILDREN AND YOUTH [criteria 5 and 7];

when large-scale data of persons with a migration background or members of ethnic-cultural minorities are collected or systematically exchanged between multiple controllers. MINORITIES [criterion 5 and 7];

when large-scale data of vulnerable segments of the population are collected or systematically exchanged between multiple controllers. VULNERABLE PERSONS [criteria 5 and 7];

Large-scale processing of personal data and/or systematic monitoring of employee activities (e.g., monitoring email and internet use, GPS systems in employees' (freight) cars, or camera surveillance for the purpose of theft and fraud prevention). EMPLOYEE MONITORING [criteria 3, 5, and 7];

when personal data are collected from other Flemish or other administrative authorities or third parties to be considered when deciding to refuse or terminate a specific service with a natural person. NO SERVICE [criteria 6 and 9];

When large-scale personal data is collected, whether from third parties or not, to be considered when deciding to start a specific service or granting rights without the involvement of the data subjects.

When health data of a data subject is collected automatically through an active implantable medical device.

When there is large-scale processing of data generated by devices with sensors that transmit data over the internet or another medium (‘internet of things’ applications, such as smart TVs, smart home appliances, smartphones, connected toys, care robots, smart cities, smart meters, etc.) and this processing is intended to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons.

When large-scale data is collected from third parties to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons.

When large-scale processing of personal data involves systematically observing, collecting, recording, or influencing behavior of natural persons through automated processing, including for public advertising, public marketing, or public service purposes.

when there is matching or combining datasets, for example, datasets that come from two or more data processing operations carried out for different purposes and/or by different controllers in a way that exceeds the reasonable expectations of the data subject.

This processing must undergo a data protection impact assessment if all of the following conditions are met:

• (a) the linkage or further or subsequent processing is large-scale;

• (b) at least some data is processed for purposes different from the original processing;

• (c) algorithms are used that are not understandable to the data subjects;

When large-scale processing of data mentioned under point 3) or of persons mentioned in 7), 8), 9), and 10) relies on non-European suppliers and it cannot be excluded that they have access to the personal data.

When large-scale processing of (special) personal data and/or systematic monitoring in the context of fraud prevention is involved.

When actions are taken in large-scale processing that allow pseudonymized or encrypted data to be re-linked to an identified or identifiable natural person.