The French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:

• HR-related processing, not including profiling, for companies with under 250 employees (e.g: payroll , training, employee timekeeping – without biometrics, evaluations)
• Processing solely for calculating working time (except with biometrics or sensitive personal data)
• Relationship with suppliers (vendors) e.g. contract admin, payment
• Electoral registers – Activities of works council (EU unions)
• Processing non-sensitive information by an association, foundation or nonprofit (e.g. management of members and donors, member directories, communication for prospecting)
• Processing data related to patient health by a medical professional within a doctor’s office, pharmacy or medical lab (e.g. appointments, medical records, communication among the medical professionals involved)
• Processing by lawyers for client management
• Processing by clerks and notaries
• Processing by local authorities and private companies for managing school and daycare /after-school programs (e.g. registration, billing, catering, transportation, school trips)
• Processing relating to alcohol detection breathalyzers