Luxembourg: National Commission for Data Protection Publishes List of Operations Requiring Impact Data Assessment

On March 11, 2019, the National Commission for Data Protection (CNPD) published a list of activities for which a data protection impact assessment (DPIA) is mandatory.

According to the press release, the list of activities has been submitted to the European Data Protection Board (EDPB) for its opinion. The list is not exhaustive and is limited to activities that will always require the performance of a DPIA. For activities which are not mentioned in the list, data processors shall refer to Article 35(1) of the General Data Protection Regulation (GDPR) and WP248 of Article 29 Working Party.

To continue reading please log in or request a demo to speak to a member of the team.