On October 11, the CNIL adopted new guidelines on conducting DPIAs under the GDPR (source document in French). The guidelines supplement the requirements set out in Article 35(1) of the GDPR and the list of nine criteria defining high-risk data processing, adopted on October 4, 2017, by the Working Party 29 ("WP29"). In line with the WP29, the CNIL requires a DPIA for any data processing that meets at least two of the nine criteria. However, the CNIL exempts data controllers from conducting a DPIA if they provide a documented explanation that the processing does not create a "high risk." Where applicable, the explanation must include the opinion of the Data Protection Officer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.