On October 11, the CNIL issued Decision No. 2018-327 adopting a list of several types of data processing operations that require the implementation of a DPIA (source document in French). The list includes, for instance, the processing of health data by medical and social entities for patient care, biometric data of persons who are considered "vulnerable" (such as students, elderly persons, and patients), and personal data for the purpose of regularly monitoring employee activity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.