Emergency drill: ECB’s medical scheme and DPIAs Barbara Eggl Owe Langfeldt DPO-EDPS Meeting 31/05/2018

Agenda DPIA – state of play Group work – based on a true story... EDPS Guidance WP29/EDPB & national methodologies Group work – based on a true story... ECB medical scheme Challenges Lessons learned Q & A

DPIA – EDPS guidance Recap – what happened at past DPO meetings? Alicante: New architecture & risk-based approach Tallinn: Threshold assessments London: Guiding questions ‘Accountability on the ground’ – prelim. version 02/18 Why ‘preliminary’? Were still waiting for agreed ‘new 45’ But: Articles on records and DPIAs weren’t the controversial ones Feedback received & still welcome Update to come very soon with final agreed text for ‘new 45’ Article 39(4) list to come Risk mindset: same logic applies to less risky processing too

DPIA – WP29/EDPB guidance & national methodologies WP29 GL: rather general on how to do it, more concrete on threshold Toolkit provides some guidance, but all GDPR-compliant methodologies are acceptable ES, FR (also available in other languages), UK updated their guidance in the meantime; no EDPS-imposed methodology. Common framework: description necessity & proportionality risk assessment & treatment process perspective: it’s not over once you’ve got a report!

Group work... based on a true story Scenario: based on ECB medical scheme, but limited in scope Processing operations: reimbursement of medical expenses 24/7 helpline for staff fraud detection and reporting of suspicions reporting to EUI Data subjects: covered staff members and dependents Players: EUI, staff, service provider NB: different system and legal basis; pretend you don’t remember JSIS / the ‘normal’ Staff Regulations. More information in your materials

Group work... based on a true story EUI staff Doctors Patient – doctor relationship reimbursement EUI submit claims enrolment info Provider Claims settlement Helpline info on suspicious cases fraud detection reports on use of system

Group work – results? some possible risks & controls Further subcontracting, leading to loss of control Rules in contract Unauthorised further use of data by contractor Rules in contract, audit trail Interception of claims during submission ... will be defined in security requirements for submission system Leaks via helpline Access control for helpline staff / training / authentication of callers Disclosure of personal data in reporting on system use to EUI Business rules on anonymisation/ pseudonymisation Excessive disclosures in dealing with suspected fraud Business rules

ECB Medical Scheme – Challenges Mapping flows for complex processing operations proved difficult; Many internal & external actors involved; Subcontracting: understanding relationships and ensuring requirements are passed on; EEA processing: getting contractors to understand that extra-EEA access (e.g. helpdesk) is processing too Creativity for thinking of risks: what could possibly go wrong (risk catalogue)? When to go for prior consultation?

ECB Medical Scheme – Lessons learned Early DPO involvement is crucial: Fraud prevention: DPO comments on update of staff rules helped to ensure data minimisation; Tender specifications: include data protection requirements & DP annex early on; Avoids having/discovering problems down the line! Data protection culture: controller side is very data protection aware. Many questions, but often just to confirm their (correct) analysis; Awareness-raising pays off.

Q&A Any DPIA experience you’d like to share? Problems encountered, lessons learned...? Feedback on toolkit?

Thank you for your attention! For more information: www.edps.europa.eu edps@edps.europa.eu @EU_EDPS

Additional Background Slides

Shift in supervision architecture Prior Consultation DPIA Records of processing Prior Check Opinion Article 27 Notifications Art. 25 Notifications

Documentation overview