Two deliberations of the CNIL * concerning the RGPD** were published in the Official Journal on November 6. The first, No. 2018-326, relates to the adoption of guidelines specifying the general rules to be respected regarding impact assessments. Its content specifically refers to the list of processing operations requiring an impact assessment, adopted by the second deliberation n° 2018-327.

Analysis of the last deliberation:

First of all, it is interesting to note that this one refers toOpinion 9/2018 of the European Data Protection Committee or EDPS (European authority). The latter relates to the draft list of the French supervisory authority, concerning the types of processing operations for which a data protection impact assessment adopted on September 25, 2018.

Regarding the list itself, it is important to focus on certain key types of processing that require an impact analysis. These are the treatments :

  • Establishing profiles of natural persons for human resources management purposes (EDPS criteria concerned: evaluation or rating, or so-called vulnerable persons). Vulnerable persons, in the sense of the RGPD and in the classical approach of the CNIL, referring to minors,
  • With the purpose of constantly monitoring the activity of the employees concerned (EDPS criteria concerned: so-called vulnerable persons, or systematic monitoring),
  • With the purpose of managing alerts and warnings in social and health matters (EDPS criteria concerned: so-called vulnerable persons, or assessment/notation, or collection of sensitive data). This refers to articles L4131-1 and following of theLabour Code,
  • For the purpose of managing alerts and warnings in professional matters (EDPS criteria concerned: so-called vulnerable persons, or evaluation/rating, or collection of sensitive data),
  • Involving the profiling of individuals, which may lead to their exclusion from or suspension from a contract; or even termination of a contract (EDPS criteria involved: evaluation/notation, cross-referencing or combination of data sets),
  • Pooling of identified contractual breaches that may lead to a decision to exclude or suspend the benefit of a contract (EDPS criteria concerned: cross-referencing or combination of data sets, or automated decision-making with legal effect or significant similar effect),
  • Profiling using data from external sources (EDPS criteria involved: assessment or scoring, or cross-referencing/combining of data sets),
  • Large-scale location data (EDPS criteria concerned: collection of sensitive data, or data processed on a large scale).

The CNIL indicates that this list is not exhaustive. According to the terms of the deliberation, "In accordance with Article 35.1 of the RGPD, an impact assessment must be carried out whenever the processing is likely to result in a high risk to the rights and freedoms of natural persons. This list is based on the EDPS guidelines on data protection impact assessment, which it complements and clarifies for specific processing operations.

In a future article, we will deal with the other CNIL deliberation on the general rules to be respected in impact analysis.

CNIL*: Commission Nationale de l'Informatique et des Libertés (French National Commission for Information Technology and Civil Liberties)
RGPD** : General Data Protection Regulation

impact assessment CNIL labor code compliance compliance risk management RGPD risks