Data Protection Impact Assessment

Special categories of personal data

Futunk allows users to upload activity files that include geolocation and heart rate data. These are considered special categories of personal data in Article 9, Paragraph 1 of the GDPR.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Since the explicit purpose of Futunk is to showcase these activities, I believe this prohibition does not apply following Paragraphs 2(a) and 2(e) of Article 9 of the GDPR.

Paragraph 1 shall not apply if one of the following applies:

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

  2. processing relates to personal data which are manifestly made public by the data subject;

DPIA Exemption

Futunk is a personal hobby project with — for the foreseeable future — a limited amount of users. Due to this smaller scale, I believe Futunk to be currently exempt from requiring a Data Protection Impact Assessment following Article 35 of the GDPR.

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

(Emphasis added).