DPIA Assessment
Each processing activity form includes a DPIA tab used to assess whether a Data Protection Impact Assessment (DPIA) is required.
The assessment is based on the CNIL decision tree and is carried out in 3 steps:
- Check whether the processing activity is included in the list of processing operations exempt from a DPIA;
- Check whether it is included in the list of processing operations subject to a DPIA;
- Check whether the processing activity meets at least 2 risk criteria requiring a DPIA.
Based on the answers provided, Provacy automatically displays an assessment:
- Unavailable when the answers are incomplete.
- DPIA required
- DPIA exemption
This assessment is provided as a decision-support tool. As indicated in the form:
« This assessment is based on the information provided and does not constitute an automatic obligation. »
Additional analysis may therefore still be necessary. For example:
- a DPIA has already been carried out for a similar or shared processing activity;
- the processing activity is particularly innovative or sensitive and presents high risks to data subjects, even if no comparable case has yet been formally identified by a supervisory authority.
The comment field below the assessment can be used to document and justify the final decision made.
