Data protection impact assessment (DPIA) under French law

The Commission Nationale de L’informatique et des Libertés has published a list of processing operations that require a data protection impact assessment (in French). The list includes in particular the following cases:

  • Processing of health data used by health care institutions or medical-social institutions to care for people;
  • Processing of genetic or biometric data of particularly vulnerable persons (patients, staff, children, etc.);
  • Creation of profiles of persons for personnel management;
  • Monitoring of employees;
  • Processing operations which may result in the exclusion of data subjects from a contract or the termination of a contract;
  • Profiling with data from external sources

A list containing processing operations without the obligation of a DPIA has also been published (in French). The list includes the following cases in particular:

  • Processing within human resources, profiling excluded, for the sole purpose of organising personnel within a company of less than 250 employees;
  • Contract management of supplier relationships;
  • Processing for the purpose of managing municipal electoral registers;
  • Processing for the purpose of managing works councils;
  • Processing of non-sensitive data by an association, foundation or other non-profit organization for the management of its members and donors in the context of their normal activities;
  • Processing of health data for the purposes of patient care by a specialist working in a doctor’s office, pharmacy or a medical-biological specialist;
  • Processing of lawyers and notaries in the context of professional practice;
  • Processing of non-biometric, sensitive or very personal data, which is only used to manage access controls and schedules to calculate working hours.

Contact us!