CNIL – Developer’s Guide sheets

The CNIL publishes a GDPR guide for developers

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

All the material via tag search:

Github to participate in further development: –

Local copy of the sheets (might be outdated):

Currently it includes:
Sheet n°0: Develop in compliance with the GDPR
Sheet n°1: Identify personal data
Sheet n°2: Prepare your development
Sheet n°3: Secure your development environment
Sheet n°4: Manage your source code
Sheet n°5: Make an informed choice of architecture
Sheet n°6: Secure your websites, applications and servers
Sheet n°7: Minimize the data collection
Sheet n°8: Manage user profiles
Sheet n°09: Control your libraries and SDKs
Sheet n°10: Ensure quality of the code and its documentation
Sheet n°11: Test your applications
Sheet n°12: Inform users
Sheet n°13: Prepare for the exercise of people’s rights
Sheet n°14: Define a data retention period
Sheet n°15: Take into account the legal basis in the technical implementation
Sheet n°16: Use analytics on your websites and applications

Germany: DiGAV (medical mobile applications) and guideline

DiGAV is now in force.

The accompanying “Digitale-Gesundheitsanwendungen-Verordnung (DiGAV)”*%5B%40attr_id%3D%27bgbl120s0768.pdf%27%5D__1592376167435

The accompanying Guideline for DiGAV:

General supporting background material

including an English summary

Mapping ISO 27701 to privacy laws (github)

The Data Protection/Privacy Mapping Project (the “Project”) facilitates consistent global comprehension and implementation of data protection with an open source mapping between ISO/IEC 27701 and global data protection and/or privacy laws and regulations.

Data Protection Mapping Project demo site



DPA Ireland Guidance Notes: Legal bases for processing Personal Data

December 2019

“If processing of sensitive ‘special category’ data is necessary as part of performing the contract, controllers will also need to identify a separate exception to the general prohibition of processing such data, because contractual necessity alone does not fulfil the requirements of Article 9 GDPR. Thus, as with all processing of such special category data, the controller will need both a legal basis – in this case, necessary for the performance of a contract – as well as fulfilling a condition under Article 9(2) which allows for the processing that type of personal data – such as the fact that the data have been ‘manifestly made public’ or the processing is necessary to establish, exercise, or defend a legal claim.”

AEPD publishes a guide on data protection rights of patients and health users

The Spanish Agency for Data Protection (AEPD) has published the ‘Guide for patients and users of health’, a document that responds to the most frequent questions that citizens usually ask when their personal data is processed by centers, administrations and health professionals and which aims to facilitate the knowledge of their rights.
In a second part, the ‘Guide for patients and healthcare users’ collects the issues raised most frequently before the AEPD.

Press release:

Guide (in Spanish):

Prior authorization/notification requirements (from Baker McKenzie 2019)

General comparison via Baker McKenzie (via compare jurisdiction and topics),7b3389f4364545d8933d7ccb76b6d5c8

In many articles it is stated that prior notification/authorization requirements had been replaced with GDPR by the need to have high-risk Data Protection Impact Assessments reviewed by the Supervisory Authorities (GDPR Art 36). – However, there are still cases in which more specific prior notification/authorization requirements exist (GDPR Art 36 (5) and Member state laws (via opening clauses)).

According to the above source, in the EU, -and omitting DPO registrations – there are requirements for
(check source above for the precise wording, my own summary below)

  • Belgium
    (CCTV, sometimes communication of health data)
  • Denmark
    (purpose-related: warning someone to engage in some business, creditchecks/financial standing-related, legal information system-related)
  • France
    (sometimes for processing of person’s NIR (national identification registry) number; state investigations; biometric or genetic data for authentication on behalf of the state; some transfers of personal data to a third country (GDPR 43 (3) a);
    ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (“référentiels”) of the CNIL. Failing that, article 54 of the Data Protection Act states that processing shall be subject to the CNIL’s prior authorization, except in the field of health research or study. ” (quote from URL above) [Exceptions for some bodies and services listed via a Ministerial Order]

For France/CNIL: Overview by Baker McKenzie

CNIL/France: Pior authorization for healthdata, pharmacovigilance and CNIL standards

Article by TwoBirds ” The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector. ”

Quote: ” The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization. “

Link to inofficial translation by TwoBirds at

TwoBird article on overall background at – incl. need for prior authorization and CNIL reference methods