Privacy & Information Security Law Blog

On October 22, 2019, the French Data Protection Authority (the “CNIL”) published a list of processing operations (in French) that it considers not requiring a data protection impact assessment (“DPIA”). The CNIL had previously adopted and published a final list of processing operations requiring a DPIA on November 6, 2018. The final list includes 12 types of processing operations for which a DPIA is not considered mandatory. The CNIL provided concrete examples for each type of processing operation, including:

• processing operations for HR purposes for companies employing less than 250 employees and excluding profiling (payroll, employees training, time management, use of communication tools, management of annual evaluations and expenses reimbursement);
• processing operations for vendor management purposes (to perform administrative operations in relation to contracts, orders and billing; to establish vendors’ financial statistics and turnover, and to maintain vendors documentation); and
• processing operations for controlling physical access to buildings or working hours (with the exclusion of biometric systems and under the condition that they do not include sensitive data).

The CNIL emphasized that this list was not exhaustive and some processing operations not included in the list also could be exempt from a DPIA, provided they are not presenting a high risk for the rights and freedoms of individuals.