France lists data protection impact assessment exemptions

Out-Law News | 25 Oct 2019 | 2:04 pm | 2 min. read

A list of data processing operations that are exempt from the data protection impact assessment (DPIA) requirements of the General Data Protection Regulation (GDPR) has been published by France's data protection authority.

The list of exemptions prepared by the Commission Nationale de l’Informatique et des Libertés (CNIL) applies for the most part only to very specific areas of activity.

However, some of the exemptions will be very useful to a large majority of companies that are faced with subjective choices as to the risks involved in the implementation of certain processing operations and, consequently, potential duties to develop a DPIA, said Paris-based data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.

This includes the exemption regarding the processing personal data for the purpose of managing relationships with suppliers, she said.

According to the examples listed, the exemption applicable to supplier relationship management processes applies to personal data processing concerned with carrying out administrative operations related to contracts, orders, receipts, invoices, payments, and accounting with regard to the management of accounts payable.

It also covers data processing involved in drawing up financial statistics of the supplier, listing supplier selections for the needs of the organisation, and in maintaining documentation on suppliers.

According to CNIL's new list, SMEs in France will in many cases be free to process the personal data of staff for human resources purposes without first having to undertake a DPIA either.

Processing operations carried out solely for human resources purposes and which meet the conditions for processing set out in law, for the sole purpose of managing the staff of organisations employing less than 250 people, are exempt from the DPIA requirements. CNIL said. This is except for where the processing operation is for the use of profiling.

Examples of the type of processing operations which fall within this exemption were outlined by the regulator.

The examples include processing for the purposes of: managing pay and issuing of pay slips; the management of training; the management of the company restaurant, such as the issuing of meal vouchers; the reimbursement of professional expenses; the control of working time, except where the processing concerns biometric or sensitive personal data; the follow-up of annual appraisal interviews; mandatory record keeping, and; employees' use of work communication tools where the processing does not involve the use of profiling or biometrics.

A further exemption will capture certain data processing operations carried out by trade associations or not-for-profit bodies on behalf of their members in the context of their day-to-day activities, provided that the data being processed is not sensitive in nature.

This exemption will mean the associations do not need to conduct a DPIA before processing personal data to manage member subscriptions, draw up statistical reports or lists of members or contacts to meet management needs – such as for the purpose of sending out newsletters or meeting notices, or to establish member directories or communicate with those members to pursue prospective activities in partnership with them.

Annabelle Richard said the guidance would be welcomed by businesses. She said CNIL is the latest data protection authority in the EU to provide guidance on the question of DPIAs.

"By setting out a comprehensive list of exemptions that apply and a raft of examples, CNIL has gone even further than what both the UK's Information Commissioner's Office and Ireland's Data Protection Commission (DPC) have said about exemptions in the respective guidance they have issued on DPIAs," Richard said. "In the case of the DPC, its DPIA guidance has been recently updated and sets out a short list of circumstances in which a DPIA is not required."

Under the GDPR, organisations are obliged to carry out DPIAs if their planned processing involves "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.

The GDPR also requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons".