Data Protection Impact Assessment: the French DPA publishes list of processing operations
The French Data Protection Authority publishes a list of 14 processing operations subject to DPIA as well as DPIA Guidelines to complement the WP29 guidelines on DPIA.
Article 35 of the EU General Data Protection Regulation (GDPR)1 requests the conduct of a Data Protection Impact Assessment (DPIA), where the processing is likely to result in a high risk to the rights and freedoms of the data subjects. A DPIA aims at identifying the characteristics of the treatment, the risks and the measures adopted.
Article 35.4 of the GDPR further provides that national supervisory authorities can establish and make public a list of the kind of processing operations which are subject to the requirement for a DPA. Earlier this year, 22 national supervisory authorities submitted their list of processing operations requiring a DPIA to the EDPB for its opinion, including the CNIL.
Following the EDBP’s opinion, the French Data Protection Authority (hereinafter the CNIL) adopted its final list on 11 October 20182 which includes 14 types of processing operations for which a DPIA is required:
| Data Protection Impact Assessment: the French Data Protection Authority publishes a list of processing operations subject to DPIA and DPIA Guidelines | ||
|
Types of processing |
Criteres based on EDPB guidelines |
Examples provided by CNIL |
|
Processing of health data implemented by health facilities or medico social facilities for the care of individuals. |
|
Processing implemented by health facilities (hospitals, university hospitals, clinics, etc.):
|
| Processing genetic data of vulnerable subjects such as patients, employees, children etc. |
|
Implementation of medical research tool on patients including the processing of their genetic data. |
| Establishing profile of individuals for HR management purposes. |
|
Processing to improve the recruitment, such as a processing based on a selection algorithm. |
| Processing whose purpose is to constantly monitor the activity of the relevant employees. |
|
CCTV filming employees handling money. |
|
Managing alerts and reports on social and health matter. |
|
Reporting mechanisms for minors in danger. |
|
Whistleblowing systems. |
|
System for collecting professional alerts for private or public bodies. |
| Processing of health data needed to build a data warehouse or registry. |
|
Data warehouse implemented by a health facility for research purposes. |
| Processing involving profiling of persons that lead to the exclusion of the right to enter into contract, suspension or termination of a contract. |
|
Behavioral analysis-based processing to detect "forbidden" behaviors on a social network. |
|
Mutualized processing of contractual breaches that may led to a decision to exclude person from the benefit of a contract or to suspend a contract. |
|
Identifying unpaid and irregular subscriptions shared by a sector of industry. |
| Profiling using data from external sources. |
|
Processing for the provision of targeted advertising. |
| Biometric data processing for identifying data subject which include vulnerable data subjects (pupils, elderly people, patients, asylum seekers, etc). |
|
Access control to the school canteen by recognizing the outline of the hand. |
| Examination of an application for social housing and social housing management. |
|
Processing to enable the processing of social housing applications for rental or home ownership. |
| Processing for the purpose of giving medical, psychological and social assistance. |
|
Processing implemented by an institution or an association in the context of the care of people in integration or social and professional reintegration. |
|
Large scale processing of location data. |
|
Mobile application for processing user geolocation data. |
On its website, the CNIL also provides more practical examples of the types of processing activities for each of these categories.
The list is non-exhaustive and may be regularly reviewed.
The same day, the CNIL adopted its own guidelines on DPIA3 which complement the WP29 guidelines on DPIA4 and cover the following issues:
- the scope of the obligations to carry out a DPIA
- The conditions in which a DPIA must be carried out, and
- The situations in which a DPIA must be communicated to the CNIL.
The CNIL announced that it will soon publish its list of processing operations for which a DPIA is not required.
1 Délibération n° 2018-326 du 11 octobre 2018 portant adoption de lignes directrices sur les analyses d'impact relatives à la protection des données (AIPD) prévues par le règlement général sur la protection des données.
2 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
4 Délibération n° 2018-327 du 11 octobre 2018 portant adoption de la liste des types d'opérations de traitement pour lesquelles une analyse d'impact relative à la protection des données est requise.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
