Data Protection Impact Assessment: the French Data Protection Authority publishes a list of processing operations subject to DPIA and DPIA Guidelines

​The French Data Protection Authority publishes a list of 14 processing operations subject to DPIA as well as DPIA Guidelines to complement the WP29 guidelines on DPIA.

​Article 35 of the EU General Data Protection Regulation (GDPR)1 requests the conduct of a Data Protection Impact Assessment (DPIA), where the processing is likely to result in a high risk to the rights and freedoms of the data subjects. A DPIA aims at identifying the characteristics of the treatment, the risks and the measures adopted.

Article 35.4 of the GDPR further provides that national supervisory authorities can establish and make public a list of the kind of processing operations which are subject to the requirement for a DPA. Earlier this year, 22 national supervisory authorities submitted their list of processing operations requiring a DPIA to the EDPB for its opinion, including the CNIL.

Following the EDBP’s opinion, the French Data Protection Authority (hereinafter the CNIL) adopted its final list on 11 October 20182 which includes 14 types of processing operations for which a DPIA is required:

Data Protection Impact Assessment: the French Data Protection Authority publishes a list of processing operations subject to DPIA and DPIA Guidelines

Types of processing

Criteres based on EDPB guidelines

Examples provided by CNIL 

Processing of health data implemented by health facilities or medico social facilities for the care of individuals.

  • Processing of sensitive data.
  • Vulnerable data subjects.

Processing implemented by health facilities (hospitals, university hospitals, clinics, etc.):

  • Patient file.
  • Medical decision-making algorithms.
  • Health vigilance and risk management systems.
  • Telemedicine devices.
  • Management of the laboratory etc.
Processing genetic data of vulnerable subjects such as patients, employees, children etc.
  • Processing of sensitive data.
  • Vulnerable data subjects.
Implementation of medical research tool on patients including the processing of their genetic data.
Establishing profile of individuals for HR management purposes.
  • Evaluation or scoring.
  • Vulnerable data subjects.
Processing to improve the recruitment, such as a processing based on a selection algorithm.
Processing whose purpose is to constantly monitor the activity of the relevant employees.
  • Vulnerable data subjects.
  • Systematic monitoring.
CCTV filming employees handling money.

Managing alerts and reports on social and health matter.

  • Evaluation or scoring.
  • Vulnerable data subjects.
  • Processing of sensitive data.
Reporting mechanisms for minors in danger.

Whistleblowing systems.

  • Vulnerable data subjects.
  • Evaluation or scoring.
  • Processing of sensitive data.
System for collecting professional alerts for private or public bodies.
Processing of health data needed to build a data warehouse or registry.
  • Processing of sensitive data.
  • Vulnerable data subjects.
Data warehouse implemented by a health facility for research purposes.
Processing involving profiling of persons that lead to the exclusion of the right to enter into contract, suspension or termination of a contract.
  • Evaluation or scoring.
  • Matching or combining datasets.
Behavioral analysis-based processing to detect "forbidden" behaviors on a social network.

Mutualized processing of contractual breaches that may led to a decision to exclude person from the benefit of a contract or to suspend a contract.

  • Matching or combining datasets.
  • Automated decision making with legal effect or significant similar effect.
Identifying unpaid and irregular subscriptions shared by a sector of industry. 
Profiling using data from external sources.
  • Evaluation or scoring.
  • Matching or combining datasets.
Processing for the provision of targeted advertising.
Biometric data processing for identifying data subject which include vulnerable data subjects (pupils, elderly people, patients, asylum seekers, etc).
  • Processing of sensitive data.
  • Vulnerable data subjects.
Access control to the school canteen by recognizing the outline of the hand. 
Examination of an application for social housing and social housing management.
  • Processing of sensitive data.
  • Evaluation or scoring.
Processing to enable the processing of social housing applications for rental or home ownership.
Processing for the purpose of giving medical, psychological and social assistance.
  • Processing of sensitive data.
  • Evaluation or scoring.
  • Vulnerable data subjects.
Processing implemented by an institution or an association in the context of the care of people in integration or social and professional reintegration.

Large scale processing of location data.

  • Processing of sensitive data.
  • Data processed on a large scale.
Mobile application for processing user geolocation data.

On its website, the CNIL also provides more practical examples of the types of processing activities for each of these categories.

The list is non-exhaustive and may be regularly reviewed.

The same day, the CNIL adopted its own guidelines on DPIA3 which complement the WP29 guidelines on DPIA4 and cover the following issues:

  • the scope of the obligations to carry out a DPIA
  • The conditions in which a DPIA must be carried out, and
  • The situations in which a DPIA must be communicated to the CNIL.

The CNIL announced that it will soon publish its list of processing operations for which a DPIA is not required.

 


 

1 Délibération n° 2018-326 du 11 octobre 2018 portant adoption de lignes directrices sur les analyses d'impact relatives à la protection des données (AIPD) prévues par le règlement général sur la protection des données.
2 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 
4 Délibération n° 2018-327 du 11 octobre 2018 portant adoption de la liste des types d'opérations de traitement pour lesquelles une analyse d'impact relative à la protection des données est requise.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.