Data protection impact assessment (DPIA) under French law

The Commission Nationale de L’informatique et des Libertés has published a list of processing operations that require a data protection impact assessment (in French). The list includes in particular the following cases:

  • Processing of health data used by health care institutions or medical-social institutions to care for people;
  • Processing of genetic or biometric data of particularly vulnerable persons (patients, staff, children, etc.);
  • Creation of profiles of persons for personnel management;
  • Monitoring of employees;
  • Processing operations which may result in the exclusion of data subjects from a contract or the termination of a contract;
  • Profiling with data from external sources

A list containing processing operations without the obligation of a DPIA has also been published (in French). The list includes the following cases in particular:

  • Processing within human resources, profiling excluded, for the sole purpose of organising personnel within a company of less than 250 employees;
  • Contract management of supplier relationships;
  • Processing for the purpose of managing municipal electoral registers;
  • Processing for the purpose of managing works councils;
  • Processing of non-sensitive data by an association, foundation or other non-profit organization for the management of its members and donors in the context of their normal activities;
  • Processing of health data for the purposes of patient care by a specialist working in a doctor’s office, pharmacy or a medical-biological specialist;
  • Processing of lawyers and notaries in the context of professional practice;
  • Processing of non-biometric, sensitive or very personal data, which is only used to manage access controls and schedules to calculate working hours.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: