LIST OF PROCESSING OPERATIONS FOR WHICH A DATA PROTECTION IMPACT ASSESSMENT (DPIA) IS REQUIRED

  1. Processing activities that rely on genetic data as defined under GDPR article 4 (13) in conjunction with at least one other criteria from the article 29 working party guidelines (WP248 rev. 01), except for healthcare professionals when providing healthcare services;
  2. Processing activities that include biometric data as defined under GDPR article 4(14) and have as a purpose identification of data subjects in conjunction with at least one other criteria from the article 29 working party guidelines (WP248 rev. 01);
  3. Processing activities involving the combination, matching or comparison of personal data collected from processing activities having different purposes (from the same or different data controllers)– provided that they produce legal effects concerning the natural person or similarly significantly affects the natural person;
  4. Processing activities that consist of or include regular and systematic monitoring of employee activities - provided that they might produce legal effects concerning the employees or similarly significantly affects them;
  5. Processing activities on files that might contain personal data of the whole national population provided that such a DPIA has not already been carried out as part of a general impact assessment in the context of the adoption of that legal basis;
  6. Processing activities that have a scientific, historical research purpose or a statistical purpose as required in Article 65 of the law of August 1st, 2018 (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en oeuvre du règlement (UE) 2016/679 du parlement européen et du Conseil du 27 avril 2016) ;
  7. Processing activities that consist in systematic tracking of natural persons position;
  8. Processing activities based on indirect collection of personal data when it is not possible / feasible to guarantee the right of information in conjunction with at least one other criteria from the article 29 working party guidelines (WP248 rev. 01).

Dernière mise à jour