The CNIL has adopted its final list of processing for which a DPIA is required. The French authority had already submitted a draft to the European Data Protection Board.
It has also published its DPIA guidelines to clarify:
- the scope of the obligation to carry out a DPIA;
- the conditions of realization of the DPIA;
- the cases in which a DPIA must be transmitted to it.
Article 35 of the RGPD provides three types of processing that may pose a high risk requiring a DPIA:
- “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”;
- processing on a large scale of special categories of data or relating to criminal convictions and offenses;
- systematic monitoring of a publicly accessible area on a large scale.
Position of the EDPB
Beyond these three processing operations, the EDPB has identified nine criteria for characterizing a processing likely to create a highrisk:
- data processed on a large scale;
- sensitive data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or health data, biometric data and data concerning life or sexual orientation) or highly personal data (data relating to electronic communications, location data, financial data, etc.);
- data concerning vulnerable people (patients, elderly people, children, etc.);
- crossor combination of data;
- evaluation/ scoring (including profiling);
- automated decision making with legal effect or the like;
- systematic monitoring of people;
- processing that may exclude the benefit of a right, service or contract;
- innovativeuse or application of new technological or organizational solutions.
Processing for which an AIPD is not required, according to the CNIL
The CNIL considers that, in principle, a processing that meets at least two of the criteria mentioned above must be the subject of DPIA.
It also listed treatments that are not subject to a DIPA:
- Unless otherwise required by law, the processing that meets the legal obligation to which the controller is subject, or that is necessary for the performance of a public service mission entrusted to the person in charge of the service, is not subject to DPIA, where these have a legal basis in national or European Union law, that this law regulates them, and that a DPIA has already been conducted when this legal basis was adopted;
- when the nature, scope, context and purpose of the proposed operations of processing are very similar to a processing for which a DPIA has already been conducted by the controller or by a third party (authorities or public bodies, group of controllers , etc.); in this case, the results of the DPIA already conducted can be reused.
The list of operations of processing for which an AIPD is required
The list of types of processing operations for which a data protection impact assessment is required:
- Health data processing implemented by health establishments or medical-sociale stablishments for the care of persons;
- Processing dealing with genetic data of so-called “vulnerable” people (patients, employees, children, etc.);
- Processing establishing profiles of natural persons for human resource management purposes;
- Processing whose purpose is to constantly monitor the activity of the employees concerned;
- Processing whose purpose is the management of alerts and reports in social and health matters;
- Processing whose purpose is the management of alerts and reports in professional matters;
- Processing of health data necessary for the establishment of a data warehouse or register;
- Processing involving the profiling of persons that may lead to their exclusion from the benefit of a contract or the suspension or even the breaking of the contract;
- Mutualized Processing of contractual breaches that may lead to a decision to exclude or suspend the benefit of a contract;
- Profiling using data from external sources;
- Biometric data processing for the purpose of recognizing persons including “vulnerable” persons (pupils, elderly people, patients, asylumseekers, etc.);
- Examination of applications and management of social housing;
- Processing for the purpose of providing social or medico-social support to persons
- Large scale location data processing.