Prior Consultation requirements under Article 36, GDPR and Section 84(3) of the Data Protection Act 2018
Where a data controller carries out a Data Protection Impact Assessment (DPIA), which indicates that the intended processing would result in a high risk to the data protection rights of individuals in the absence of mitigating measures, the controller shall consult the Supervisory Authority. In practical terms, this means that where the data controller cannot deal with identified risks (i.e. residual high risks to data subjects remain) by implementing safeguards they must consult with the Data Protection Commission, seeking written advice on the proposed processing operation(s).
Prior consultation with the DPC will also be mandatory where the controller proposes to engage in a type of processing that has been prescribed in regulations in accordance with Section84(9) of Data Protection Act 2018.
Prior consultation pursuant to Article 36 is a function of the Consultation Section of the Data Protection Commission. Submissions can be emailed to firstname.lastname@example.org and clearly marked as for statutory, prior consultation under Article 36 of the GDPR and/or Section 84 of the Data Protection Act, 2018.
When engaging with the DPC for prior consultation the following information should be submitted:
- The Data Protection Impact Assessment and any ancillary documents;
- The respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- The purposes and means of the intended processing;
- The measures and safeguards provided to protect the rights and freedoms of data subjects under the GDPR;
- The contact details of the Data Protection Officer (if applicable); and
- Any further information as may be requested by the DPC.
The DPC will respond to a submission for statutory prior consultation within a period of up to six weeks, where it appears that the intended processing would infringe the provisions of the GDPR or Data Protection Act, or that the controller has insufficiently identified or mitigated the potential risks. This response will be in the form of written advice and will be issued to the controller, and where applicable, any proposed processor. The period for responding may be extended by a period of up to one month , taking into account the complexity of the proposed processing.
In addition to issuing written advice, the DPC may also exercise any of its investigative, corrective or enforcement powers in response to a submission for statutory prior consultation.
Where a controller considers that it is likely to be required to submit a DPIA for statutory prior consultation, the Consultation Section of the DPC welcomes advance notice of this where possible. This will assist in the allocation of resources to the process of assessing the DPIA once submitted, and may reduce the DPC’s response time, subject to the operational exigencies of the Section. During the assessment process should any further information become available to the controller that would assist the DPC, this should be forwarded to the Consultation Section.