Skip to content

CNPD list of processing activities requiring a DPIA

Related people
Manhaeve Katia
Katia Manhaeve

Partner

Luxembourg

View profile →

Di Lorenzo Catherine
Catherine Di Lorenzo

Counsel

Luxembourg

View profile →

Dutkiewicz Izabela
Izabela Dutkiewicz

Associate

Luxembourg

View profile →

Azoulay Barbara
Barbara Azoulay

Associate

Luxembourg

View profile →

Paul Wagner

Junior Associate

Luxembourg

View profile →

15 March 2019

​The Luxembourg data protection authority (CNPD) has published a list of processing activities triggering a mandatory data protection impact assessment (DPIA) following review by the European Data Protection Board (EDPB).

The circumstances in which a DPIA is required are summarised below; (click here for the authoritative CNPD list).  
  1. Processing involving genetic data as defined in GDPR, in combination with at least one other criterion contained in the EDPB's adopted guidelines on DPIAs: wp248.  (An exception is drawn for health professionals providing health services.)
  2. Processing that includes biometric data as defined in GDPR for the purpose of identifying data subjects, in combination with at least one other criterion contained in wp248.
  3. Processing involving the combination, matching or comparison of personal data collected from processing operations with different purposes (from the same or different controllers) which produce legal effects or have a similar significant impact on the data subject.
  4. Processing which consists of or includes regular and systematic monitoring of employees' activities and which may produce legal or similar significant effects with regard to employees.
  5. Processing of files likely to contain personal data of the entire national population (subject to an exception for where a DPIA has already been carried out as part of a general impact assessment).
  6. Processing for scientific or historical research purposes or for statistical purposes within the meaning of Articles 63 to 65 of the Law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection regime.
  7. Systematic monitoring of the location of natural persons.
  8. Processing based on the indirect collection of personal data in conjunction with at least one other criterion contained in wp248 where it is neither possible nor feasible to guarantee the right to information.