France: CNIL Adopts New Guidelines Regarding DPIAs

16 January 2019

by Laurent De Muyter , Undine Von Diemar , Olivier Haas , Jörg Hladjk , Bastiaan Kout , Jonathon Little , Martin Lotz , Hatziri Minaudier , Selma Olthof , Audrey Paquet , Sara Rizzon , Irene Robledo , Elizabeth A. Robertson and Rhys Thomas

Jones Day

Your LinkedIn Connections
with the authors

To print this article, all you need is to be registered or login on Mondaq.com.

On October 11, the CNIL adopted new guidelines on conducting DPIAs under the GDPR (source document in French). The guidelines supplement the requirements set out in Article 35(1) of the GDPR and the list of nine criteria defining high-risk data processing, adopted on October 4, 2017, by the Working Party 29 ("WP29"). In line with the WP29, the CNIL requires a DPIA for any data processing that meets at least two of the nine criteria. However, the CNIL exempts data controllers from conducting a DPIA if they provide a documented explanation that the processing does not create a "high risk." Where applicable, the explanation must include the opinion of the Data Protection Officer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

AUTHOR(S)

Laurent De Muyter

Jones Day