On November 6, the CNIL provided further guidance on conducting DPIAs ( source document in French). The CNIL mentioned that a DPIA should: (i) precisely describe the data processing; (ii) provide a legal assessment of whether or not such processing is necessary and proportional to the fundamental rights concerned; and (iii) provide an evaluation of the technical risks in terms of data security. The CNIL explained that DPIAs are mandatory when using a type of processing that the CNIL already stated requires a DPIA (see CNIL's Decision n° 2018-327 of October 10, 2018) and whenever the processing meets at least two of the nine criteria mentioned under the G29 Guidelines (see Decision n° 2018-326 of October 10, 2018).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.