Fox Rothschild LLPThe French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:

  • HR-related processing, not including profiling, for companies with under 250 employees (e.g: payroll , training, employee timekeeping – without biometrics, evaluations)
  • Processing solely for calculating working time (except with biometrics or sensitive personal data)
  • Relationship with suppliers (vendors) e.g. contract admin, payment
  • Electoral registers – Activities of works council (EU unions)
  • Processing non-sensitive information by an association, foundation or nonprofit (e.g. management of members and donors, member directories, communication for prospecting)
  • Processing data related to patient health by a medical professional within a doctor’s office, pharmacy or medical lab (e.g. appointments, medical records, communication among the medical professionals involved)
  • Processing by lawyers for client management
  • Processing by clerks and notaries
  • Processing by local authorities and private companies for managing school and daycare /after-school programs (e.g. registration, billing, catering, transportation, school trips)
  • Processing relating to alcohol detection breathalyzers

[View source.]