Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.
The European Data Protection Board’s published opinion regarding this list may be read here.
21 other data protection authorities have submitted their list to the EDPB for opinion. Organizations will need to check one or several of these national lists before implementing a processing activity especially a cross boarder one.