Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds

At a glance — The CNPD requires a DPIA whenever there is “systematic tracking of location,” while the CNIL limits the obligation to “large-scale processing of location data.” Bottom line: in Luxembourg, even a small fleet or MDM with location triggers a DPIA.

The case

• Luxembourg — On 19 April 2021, the CNPD updated its “List of processing operations for which a DPIA is mandatory” under Article 35(4) GDPR. Item 7 targets “processing operations consisting of systematic tracking of the location of natural persons,” with no “large-scale” threshold. See CNPD, “List of processing… DPIA mandatory” (last update 19/04/2021). cnpd.public.lu
• France — In its list adopted on 11 October 2018 (published 6 November 2018), the CNIL includes “large-scale processing of location data.” See CNIL, “Impact assessment… publication of a list” and the “DPIA required” PDF. cnil.fr

This gap — “systematic tracking” (CNPD) vs “large scale” (CNIL) — creates a tangible divergence for fleets, internal mobility apps, or MDM setups.

Legal reasoning

• Framework — GDPR Article 35 mandates a DPIA where processing is “likely to result in a high risk,” and allows supervisory authorities to publish lists (Art. 35(4)). eur-lex.europa.eu. For practical guidance, see our notes on GDPR Article 35 and its links with Article 30.
• EU coherence — The EDPB endorsed WP248 rev.01 (9 indicative criteria; in practice, two criteria often suffice). These guidelines steer national lists without fully harmonising them. edpb.europa.eu

CNPD stance

A nature-based reading: “systematic tracking of location” = DPIA required, with no “large-scale” condition. The CNPD also targets, separately, “regular and systematic monitoring of employees’ activities” with legal or similarly significant effects, and data combination with significant effects. cnpd.public.lu

CNIL stance

The CNIL requires a DPIA for large-scale location and for “constant monitoring of employees’ activity,” aligning with WP248 criteria while keeping an explicit threshold for location. cnil.fr (PDF)

EDPB view

The EDPB stresses the 9 WP248 criteria and that two will often suffice, while allowing local refinements if the spirit of the guidelines is respected. Hence coexisting thresholds.

Practical upshot: for the same fleet or app, a DPIA is “always required” in Luxembourg, but “required if large-scale” in France.

What changes on the ground

• Vehicle fleets — In Luxembourg, an SME tracking 15 vans continuously must run a DPIA (“systematic tracking of location”). In France, absence of “large scale” may be argued, yet other criteria (systematic monitoring of employees, vulnerability) may still lead to a DPIA. CNPD
• Timekeeping and geofencing — A mobile module recording site presence via geofencing triggers a DPIA in Luxembourg, even for small headcounts. In France, the focus is on large scale and constant monitoring.
• BYOD/MDM with location — Forcing location on corporate/managed smartphones implies a DPIA in Luxembourg; in France, “large scale” remains the pivot, without excluding other WP248 criteria.

Regardless, Art. 35(1) is the safety net: even if not on a national list, a DPIA is required where high risk is likely under WP248. EUR‑Lex

Common pitfalls

1. Focusing only on “large scale” — A frequent cross-border mistake: aligning on France and overlooking that in Luxembourg any “systematic tracking of location” calls for a DPIA. CNPD
2. Confusing records with a DPIA — Article 30 records are not a DPIA: the risk study (Art. 35) must assess mitigations and, if high risk remains, lead to consultation (Art. 36). EUR‑Lex
3. Overlooking “similarly significant effects” — The CNPD also triggers DPIA for regular and systematic employee monitoring with legal or similarly significant effects (discipline, bonuses). CNPD
4. Ignoring WP248 cumul — In France, even without “large scale,” combining “systematic monitoring” with “vulnerable data subjects (employees)” can justify a DPIA. CNIL
5. Optimising retention but not real-time access — A DPIA must also cover real-time access, alerting, granularity, sampling, and minimisation, not just deletion. EDPB

Official sources

• CNPD — DPIA mandatory list (19/04/2021): https://cnpd.public.lu/fr/professionnels/obligations/AIPD/liste-dpia.html
• CNIL — DPIA: publication + PDF “List of processing requiring a DPIA”: https://www.cnil.fr/liste-traitements-aipd-requise — PDF
• GDPR — Article 35 (DPIA) on EUR‑Lex: https://eur-lex.europa.eu/legal-content/EN-FR/TXT/?uri=CELEX%3A32016R0679
• EDPB — WP248 rev.01: https://www.edpb.europa.eu/node/1491_ga

Regulators’ commentary

The CNPD favours an intrinsic risk logic for use cases (geolocation = systematic tracking), effectively lowering the Luxembourg threshold. The CNIL keeps a “large-scale” filter but stresses WP248 cumulative criteria.

In summary

In Luxembourg, adopt a DPIA reflex for any collection of location data about employees or users, regardless of size. In France, test “large scale” first — yet remember WP248 can independently make a DPIA unavoidable.

Need hands-on support to structure impact assessments and records? Rely on an outsourced DPO experienced with CNPD expectations and strengthen your CNPD compliance in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.