DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences

The case

On 14 April 2026, the European Data Protection Board (EDPB) published an EU template for Data Protection Impact Assessments (DPIA/AIPD) and opened a public consultation until 9 June 2026. Aim: to “enhance compliance and consistency” by offering a common documentation canvas without imposing a single methodology. The notice states that, after consultation, authorities may adopt it as a national standard or “meta‑template.” Source: EDPB — Enhancing compliance and consistency: EDPB adopts DPIA template (14 April 2026). See the announcement and the consultation on the EDPB website at edpb.europa.eu.

Useful starting point for Luxembourg leaders: despite this harmonisation effort, national positions still diverge on what triggers a DPIA. The CNPD publishes a “DPIA required” list (Art. 35(4) GDPR), while the CNIL publishes both a “required” list (decision of 11 October 2018) and a “not required” whitelist that explicitly exempts some processing (e.g., several HR operations excluding biometrics/profiling). Sources: CNPD — DPIA (Art. 35(4) list); CNIL — announcements and deliberations of 6 November 2018; CNIL — list of cases where the DPIA is not required. cnpd.public.lu. For practical guidance in the Grand Duchy, see our page on GDPR in Luxembourg compliance.

Legal reasoning

• EU framework: GDPR Article 35 requires a DPIA when processing is “likely to result in a high risk”; Article 35(4) allows each authority to publish a list of processing that “require a DPIA in all cases”; Article 35(5) allows lists of processing for which a DPIA “is not required.” If high residual risk remains, Article 36 requires prior consultation with the authority. Official text: EUR‑Lex (GDPR, Arts. 35 and 36) — eur-lex.europa.eu. For a recap of GDPR Articles 35 and 36, see our GDPR law page.
• EU doctrine: WP248 rev.01 Guidelines (endorsed by the EDPB) set 9 “high risk” criteria and explain how to determine the DPIA need. The EDPB confirms endorsement (“Endorsed WP29 Guidelines”). cnil.fr.
• CNPD (Luxembourg): its official page lists “DPIA required” cases under Art. 35(4), including: 1) biometric data for identification (plus another criterion), 2) regular and systematic monitoring of employees’ activities when it produces legal or similarly significant effects, 3) systematic tracking of individuals’ location, 4) combining/comparing data from different sources/purposes leading to legal/similar effects. Update noted: 11/03/2019. cnpd.public.lu.
• CNIL (France): in addition to a “DPIA required” list (adopted 11/10/2018, published 06/11/2018), the CNIL adopted a formal whitelist of processing where a DPIA “is not required” (Art. 35(5)), notably some routine HR operations for organisations with < 250 staff, badge‑based physical access (no biometrics) and time management (no biometrics and no sensitive/highly personal data). cnil.fr.

Substantive divergence: Luxembourg publishes only a “DPIA required” list; France also publishes a “not required” whitelist. In practice, the same HR or access‑control processing may be exempt from DPIA in France (if whitelist conditions apply), while in Luxembourg the controller must assess risk under Art. 35(1) and WP248 criteria on a case‑by‑case basis — absent an explicit national exemption. This is GDPR‑consistent but leads to different compliance paths. cnpd.public.lu.

The 14 April 2026 EDPB initiative aims to reduce disparities by harmonising the format of the DPIA (documentation, expected sections). It does not, at this stage, unify the “when” (triggers), but it aligns the “how” (content/structure), also easing prior consultation under Art. 36. edpb.europa.eu.

Practical impact

• France–Luxembourg groups: the same HR register deployed in France and Luxembourg may: in France, fall under the “DPIA not required” list if the organisation has < 250 staff, with no biometrics/profiling and no sensitive/highly personal data; in Luxembourg, benefit from no whitelist. A risk assessment against the 9 WP248 criteria is needed; absent aggravating factors, a DPIA may not be required — but the controller bears the burden of proof. cnil.fr.
• Physical access control: France: badges without biometrics = on the “not required” list (subject to conditions); Luxembourg: no automatic exemption; if the setup is not systematic monitoring with significant effects, no DPIA — but the analysis must be reasoned and documented (accountability). cnil.fr.
• Location tracking (fleets, mobile staff): Luxembourg: “systematic tracking of location” appears on CNPD’s DPIA‑required list — a DPIA is due. France: no whitelist entry; depending on context (systematic nature, scale, employees), a DPIA will generally be required. cnpd.public.lu.
• AI projects and activity analytics: WP248 criteria (profiling with legal/similar effects, systematic monitoring, large‑scale processing of sensitive data) remain the backbone in both countries. The EDPB’s 14/04/2026 announcement does not change these criteria but provides a recognised documentation template to strengthen DPIAs and to streamline any Art. 36 consultation. cnil.fr. For implementation support, see our AI governance and compliance.

Common pitfalls

1. Porting the CNIL “not required” whitelist to Luxembourg. A frequent FR–LU mistake: assuming a routine HR process exempted in France is also exempt in Luxembourg. In the Grand Duchy there is no exemption list: assess risk (Art. 35(1)) and justify the absence of a DPIA. cnpd.public.lu.
2. Underestimating “legal or similarly significant effects” for employees. Regular and systematic activity monitoring (productivity tracking, agent scoring, etc.) can trigger a DPIA in Luxembourg if it affects the employee’s situation (sanction, bonus, scheduling), even without biometrics. cnpd.public.lu.
3. Forgetting prior consultation (Art. 36) when residual high risk remains. Running a DPIA is not enough: if residual risk stays high, prior consultation with the authority is mandatory before go‑live. Basis: GDPR Art. 36. eur-lex.europa.eu.
4. Confusing “template” with “methodology”. The 2026 EDPB template harmonises deliverable structure, but does not replace WP248 or your internal risk methods; it creates no exemptions and no new triggers. edpb.europa.eu.
5. Overlooking cross‑border implications. The same processing across countries may combine: “not required” in France, case‑by‑case in Luxembourg, and different expectations in Belgium (APD). Anticipate gaps at design stage. autoriteprotectiondonnees.be.

Official sources

• EDPB — “Enhancing compliance and consistency: EDPB adopts DPIA template,” 14 April 2026; public consultation (open until 9 June 2026). edpb.europa.eu — public consultation
• CNPD (Luxembourg) — “AIPD/DPIA”: list of processing requiring a DPIA (Art. 35(4)); infographic; news. cnpd.public.lu
• CNIL (France) — “Lists of processing for which a DPIA is required or not” (6 Nov 2018); PDF “List of processing for which a DPIA is not required.” cnil.fr — pdf
• GDPR — Articles 35 and 36: DPIA and prior consultation. eur-lex.europa.eu
• WP29 — WP248 rev.01 Guidelines (endorsed by the EDPB). cnil.fr

Actionable summary

Until the EDPB template is finally adopted (summer 2026 at the earliest), keep applying national lists. In France, check whether a use case falls under the “not required” list; in Luxembourg, justify non‑triggering under Art. 35(1) and WP248 unless it clearly falls under the CNPD “required” list. The EDPB template does not exempt anything: it strengthens evidence, not the trigger decision. To structure cross‑border GDPR operations, talk to our team.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.