METICOS Deliverable D3.1 Impact assessment and recommendations (first version)

This document is Deliverable D3.1 – “Impact assessment and recommendations (first version)” of WP3 of the METICOS project.
The aim of this document is to complete a comprehensive Data Protection Impact Assessment (DPIA) of the METICOS platform. A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. In other words, a DPIA is a process for building and demonstrating compliance with the General Data Protection Regulation (GDPR) and other privacy requirements.
To achieve its purposes, this Deliverable:

•  details why a DPIA is required in the context of METICOS, identifies the elements that a DPIA must contain in accordance with the GDPR and describes the methodology being followed to conduct the DPIA of the METICOS platform.
•  contains an overview of the processing carried out by the METICOS platform, a description of the data collected by each data source, a data flow diagram and an overall description of processes being carried out by each component.
• ensures that the METICOS platform is built in compliance with the following privacy principles: purpose limitation, lawfulness, necessity of the data processing operations, data minimization, data quality and storage limitation. Controls protecting data subjects’ rights as well as the legal exemptions are also being examined.
• proceeds to the identification of the risks to the rights and freedoms of the data subjects and contains recommendations of technical or operational solutions and mitigation measures to address those risks.

The analysis and hence the outcomes of this Deliverable will in turn inform the METICOS developers and data providers about the ways for developing and using the METICOS technology to ensure that data protection and privacy principles are taken care of.

It is important to note that, in line with the Grant Agreement, this Deliverable (D3.1) is due on M12 and consists into a first version of the DPIA. This first version is based on the information having been provided by the partners at this stage (M12) of the project where some technical aspects are still to be defined or detailed. Moreover, during the project duration, the development of the METICOS platform might evolve and deviate from the way it is currently being described it this document. Therefore, the second final version of the DPIA (D3.6), which is due on M26, will contain the necessary updates and reviews on the elements that are still unknown or insufficiently detailed in this first version. Moreover, in order to ensure completeness and consistency, the final version (D3.6) of the DPIA will also contain the views of external stakeholders (e.g., technical experts, lawyers, civil servants, privacy advocates, citizens, human rights experts, LEAs, immigration experts, as well as others) and of the Data Protection Officers (DPOs) of the METICOS joint controllers as well as the opinion of the Ethical Advisory Board.