Le service intégré de l'accueil et de l'orientation (SIAO) – Court Ruling (France, 2019)

Several NGOs brought a complaint before the Conseil d’Etat to stop a new form of cooperation between two national services (SIAO and OFII) in charge of asylum seekers and beneficiaries of international protection. This new form of cooperation leads to a new joint database and, thus, to a new processing operation of the applications for asylum by the SIAO and the OFII. This new database includes the personal data of the asylum seekers. The Conseil d’Etat had to assess when the Data Protection Impact Assessments (DPIA) according to Article 35 GDPR should be carried out in this case. The Conseil d’Etat stated that the DPIA must be carried out prior to the processing operation, but it must also be updated after the actual launch of the processing operation to ensure that the risks to the rights and freedoms of the natural persons whose personal data are processed are always duly taken into account. If further found that carrying out the DPIA when initiating the processing operation was sufficient to comply with Article 35 GDPR.