CNIL publishes list of data processing operations requiring a DPIA

France's data protection body CNIL has published a list of categories for data processing operations that require a Data Protection Impact Assessment (DPIA). This list was published on November 6, 2018 in the French Official Journal, available here.

Article 35.4 of the GDPR provides that each Supervisory Authority must establish and publish a list of the categories of processing operations which are subject to a DPIA requirement.

Below is a translation of the list:

Types of processing operations	Based on the following DPIA criteria issued by the European Data Protection Board (EDPB)
Health data processing carried out by health establishments or medico-social establishments for the care of persons	- collection of sensitive data - persons referred to as "vulnerable"
Processing of genetic data of people considered "vulnerable" (patients, employees, children, etc.)	- collection of sensitive data - persons referred to as "vulnerable"
Processing operations profiling natural persons for human resources management purposes	- evaluation or scoring - persons referred to as "vulnerable"
Processing operations for the purpose of constantly monitoring the activity of the employees involved	- persons referred to as "vulnerable" - Systematic monitoring
Processing for the purpose of managing alerts and alerts on social and health matters	- persons referred to as "vulnerable" - evaluation or scoring - collection of sensitive data
Processing operations for the purpose of managing alerts and alerts in professional matters	- persons referred to as "vulnerable" - evaluation or scoring - collection of sensitive data
Processing of health data necessary for the establishment of a data warehouse or register	- collection of sensitive data - persons referred to as "vulnerable"
Processing involving the profiling of persons who may result in their exclusion from a contract or in its suspension or termination	- evaluation or scoring - cross-referencing or combination of data sets
Shared processing of contractual breaches identified, which may lead to a decision to exclude or suspend the benefit of a contract	- cross-referencing or combination of data sets - Automated decision-making with legal or similar significant effect
Processing for profiling purposes using data from external sources	- evaluation or scoring - cross-referencing or combination of data sets
Processing of biometric data for the purpose of recognizing persons including so-called "vulnerable" persons (pupils, elderly, patients, asylum seekers, etc.)	- collection of sensitive data - persons referred to as "vulnerable"
Examination of applications and management of social housing	- collection of sensitive data - evaluation or scoring
Processing for the purpose of social or medico-social support for people	- collection of sensitive data - evaluation or scoring - persons referred to as "vulnerable" persons
Large-scale processing of location information	- collection of sensitive data - data processed on a large scale

In addition, the CNIL issued on the same day another decision on guidelines for DPIA which also contains some explanations on processing operations that do not need to be the subject to a DPIA, because they are unlikely to create a "high risk to the rights and freedoms of natural persons". The guidelines are available here.

The CNIL said that it will soon publish a list of processing that do not require a DPIA. In the meantime, the CNIL has already decided on two types of processing where a DPIA is not required:

Processing operations carried out in compliance with a legal obligation

Processing operations for which a similar DPIA was already conducted

Processing operations carried out in compliance with a legal obligation, which the controller is subject to, or which are necessary for the performance of a public service mission entrusted to the controller, where such processing operations have a legal basis in national or European Union law and a DPIA was already carried out at the time when this legal basis was adopted.

A DPIA is not required either where the nature, scope, context and purposes of the planned processing operation is very similar to a processing operation for which a DPIA was already carried out by the controller or by a third party (public authorities or bodies, group of controllers, etc.); in this case, the results of the DPIA already carried out may be re-used.
However, in the case of a DPIA carried out by a third party, the controller concerned must transpose, in whole or in part, the results of the DPIA to its particular situation.

Nevertheless, the CNIL underlines that, even in cases where a DPIA is not required, the processing must comply with the data protection principles set out in article 5 of the GDPR and with data subjects' rights.