The French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:
- HR-related processing, not including profiling, for companies with under 250 employees (e.g: payroll , training, employee timekeeping – without biometrics, evaluations)
- Processing solely for calculating working time (except with biometrics or sensitive personal data)
- Relationship with suppliers (vendors) e.g. contract admin, payment
- Electoral registers – Activities of works council (EU unions)
- Processing non-sensitive information by an association, foundation or nonprofit (e.g. management of members and donors, member directories, communication for prospecting)
- Processing data related to patient health by a medical professional within a doctor’s office, pharmacy or medical lab (e.g. appointments, medical records, communication among the medical professionals involved)
- Processing by lawyers for client management
- Processing by clerks and notaries
- Processing by local authorities and private companies for managing school and daycare /after-school programs (e.g. registration, billing, catering, transportation, school trips)
- Processing relating to alcohol detection breathalyzers
[View source.]
