The Commission Nationale de L’informatique et des Libertés has published a list of processing operations that require a data protection impact assessment (in French). The list includes in particular the following cases:
- Processing of health data used by health care institutions or medical-social institutions to care for people;
- Processing of genetic or biometric data of particularly vulnerable persons (patients, staff, children, etc.);
- Creation of profiles of persons for personnel management;
- Monitoring of employees;
- Processing operations which may result in the exclusion of data subjects from a contract or the termination of a contract;
- Profiling with data from external sources
- Processing within human resources, profiling excluded, for the sole purpose of organising personnel within a company of less than 250 employees;
- Contract management of supplier relationships;
- Processing for the purpose of managing municipal electoral registers;
- Processing for the purpose of managing works councils;
- Processing of non-sensitive data by an association, foundation or other non-profit organization for the management of its members and donors in the context of their normal activities;
- Processing of health data for the purposes of patient care by a specialist working in a doctor’s office, pharmacy or a medical-biological specialist;
- Processing of lawyers and notaries in the context of professional practice;
- Processing of non-biometric, sensitive or very personal data, which is only used to manage access controls and schedules to calculate working hours.
