France: CNIL Issues Guidance On DPIAs

16 January 2019

by Laurent De Muyter , Undine Von Diemar , Olivier Haas , Jörg Hladjk , Bastiaan Kout , Jonathon Little , Martin Lotz , Hatziri Minaudier , Selma Olthof , Audrey Paquet , Sara Rizzon , Irene Robledo , Elizabeth A. Robertson and Rhys Thomas

Jones Day

Your LinkedIn Connections
with the authors

To print this article, all you need is to be registered or login on Mondaq.com.

On November 6, the CNIL provided further guidance on conducting DPIAs ( source document in French). The CNIL mentioned that a DPIA should: (i) precisely describe the data processing; (ii) provide a legal assessment of whether or not such processing is necessary and proportional to the fundamental rights concerned; and (iii) provide an evaluation of the technical risks in terms of data security. The CNIL explained that DPIAs are mandatory when using a type of processing that the CNIL already stated requires a DPIA (see CNIL's Decision n° 2018-327 of October 10, 2018) and whenever the processing meets at least two of the nine criteria mentioned under the G29 Guidelines (see Decision n° 2018-326 of October 10, 2018).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

AUTHOR(S)

Laurent De Muyter

Jones Day