The Data Protection Impact Assessment (DPIA) II (Consultation with the Data Subjects and the DPA)
The GDPR contains rules on when controllers are required to prepare a data protection impact assessment (DPIA), when they have to seek the views of data subjects or their representatives on the intended processing and, furthermore, when they are obliged to consult the supervisory authority prior to processing.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the DPIA on 4 April 2017 (WP248), that were then revised on 4 October 2017, and that interpret the respective provisions of the GDPR (Articles 35-36 and Recitals 75-76, 84 and 90-95).
Below you will find a Q&A concerning the issue of seeking the views of data subjects and the prior consultation with the supervisory authority.
1. Who Is Required To Seek The Views Of Data Subjects?
Under the GDPR, where appropriate, the controller is required to seek the views of the data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Thus, a business secret or commercial plan may serve as a ground for an exception to the requirement to seek the views of the data subjects. It is the controller that has to justify and demonstrate that seeking of such views is not required.
2. When Is Tt Required To Seek The Views Of The Data Subjects?
The GDPR provides that the controller is required to seek the views of the data subjects or their representatives on the intended processing, meaning that the seeking of the views has to occur prior to processing.
3. How Should The Controller Seek The Views Of The Data Subjects?
The GDPR is silent on this issue. The WP29 says in its guidelines that the “views could be sought through a variety of means” (e.g. a question or survey sent to the data controller’s potential customers).
In line with the principle of accountability,
- if the data controller’s final decision differs from the views of the data subjects, the reasons for proceeding or not with the data processing activity has to be documented;
- the data controller should also document the reasons why it has not sought the views of data subjects (e.g. doing so would be disproportionate or would endanger the business plans of the company).
4. When Is Tt Required To Consult The Supervisory Authority Prior To Processing?
If the controller is unable to reduce the identified high risks to an acceptable level, i.e. the remaining risks are still high, the controller is required to consult the supervisory authority prior to processing.
Examples of an unacceptable high residual risk:
- where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (e.g. an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial threat);
- when it seems obvious that the risk will occur (e.g. the controller is not able to reduce the number of people accessing the data because of its sharing).
As regards the assessment of the level of the risk, the “Recommendations for a methodology of the assessment of severity of personal data breaches” issued by the European Union Agency for Network and Information Security gives useful and practical guidance.
5. What Information Has To Be Provided To The Supervisory Authority?
The controller is required to provide to the supervisory authority the following information and documents:
(a) the respective responsibilities of the controller, joint controllers and processors involved in the processing;
(b) the purposes and means of the intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects;
(d) the contact details of the DPO, if any;
(e) the DPIA and
(f) any other information requested by the supervisory authority.
6. How Long Does A Consultation Last?
It depends on how the supervisory authority judges the case.
If the supervisory authority is of the opinion that the intended processing would infringe the GDPR (e.g. because the controller has insufficiently identified or mitigated the risk), the supervisory authority must, within a period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller. That period may be extended by six weeks, taking into account the complexity of the intended processing. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
Taking this into account, consultation may last for about 4 months or even more. Controllers are advised to take this into consideration and plan well ahead if they are about to launch a new data processing operation which requires a DPIA.
For further insight please refer to my newly launched blog post here: http://eugdpr.blog.hu/tags/GDPR
In my next post, I will address issues concerning the administrative fine supervisory authorities may impose.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary ([email protected])
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.
I would like to bring your attention to some key legal developments that occurred in Colombia in Customs and Foreign Trade over the last year.
These legal developments are related to 4 major industry topics:
- FTA's and other Trade Agreements
- Trade Defense Measures
- Customs regime and facilitation of foreign trade
- Free Trade Zone Regime
The Colombian government’s focus is to strengthen the economy by entering into trade agreement’s and fully taking advantage of existing ones, protecting its national industry through trade measures when applicable, reforming regulations aiming to facilitate trade and business, and fostering foreign investment into the country via free trade zones.
To read the full analysis on the legal developments and how Colombia is trying to achieve this, please click here: http://www.worldservicesgroup.com/publications.asp?action=article&artid=9058
Please allow me to refer you to the article below, providing an update on the UAE VAT Executive Regulation. This is a big development for the UAE. The UAE has no corporate or personal income tax (except for taxes on foreign banks and oil companies) and, as a result, there were generally no financial reporting requirements.
The introduction of VAT has necessitated the formation of a Federal Tax Authority and filing of financial information for the first time for most businesses.
To Read The Full Analysis on the UAE VAT Executive Regulation Click Here: http://www.worldservicesgroup.com/publications.asp?action=article&artid=8911
The Romanian Government has recently approved a draft law on mining activities that is intended to replace the existing law, enacted in 2003. The new law gives titleholders of mining licenses enhanced rights of access to the land necessary for the mining operations.
What is New and Important Regarding the Draft Law?
-Land access rights
-Transfer of rights and obligations deriving from the mining license
-Obligation of the titleholder to incorporate a Romanian subsidiary after being awarded the mining license
-Elimination of the approval of the production mining licenses by Government Decision
-Mining royalties and special taxes on prospecting, exploration and production of mineral resources
To read more on the Draft Law Click Here: http://www.worldservicesgroup.com/publications.asp?action=article&artid=8937
Practice / Industry Group: Employment and Labor
Please allow us to refer you to the article below on the appointment of the new General Counsel for the National Labor Relations Board:
The U.S. Senate confirmed Peter Robb as the new General Counsel for the National Labor Relations Board ("NLRB" or "Board"). In private practice, Robb was a noted critic of the NLRB under the Obama administration, particularly the Board's so-called quickie election rules and what he has termed the Board's narrow definition of supervisory status.
This appointment is significant both because the NLRB has been particularly active in recent years, issuing numerous pro-employee, pro-labor decisions, and because the General Counsel role comes with substantial power.
To continue reading on how the nomination affects Non-Union Attorneys, click here
Please allow me to refer you to the article below, analyzing the legal and economic significance of off-shore finance in the British Virgin Islands:
International financial records recently stolen from two offshore services firms and 19 corporate registries maintained by governments were leaked to journalists and their details subsequently published around the world. But beyond the hype, however, we find no intelligent inferences of legal significance in the reporting.
For example, the media draws attention to a United States Cabinet member's offshore financial transactions but does not allege that his shipping stake was illegal. Nor does it allege his foreign-registered holding company was illegal or that he failed in any disclosure duty.
(To read the full analysis click here: http://www.worldservicesgroup.com/publications.asp?action=article&artid=8936).
Please allow us to refer you to the blog below on the SEC Chairman’s remarks on ICO’s and Securities Offerings:
SEC Chairman Jay Clayton spoke at the PLI Annual Institute on Securities Regulation in re: The DAO and his skepticism about ICOs being a securities offering.
Among several other topics, Mr. Clayton made reference to the SEC’s Report of Investigation Pursuant to Section 21(a) of the Securities and Exchange Act of 1934; The DAO.
To read the full post as well as the script and comments from Mr. Clayton, click here: http://www.wallerlawblog.com/post/176/SEC-Chairman-Sees-ICOs-as-Securities-Offerings
Please allow me to refer you to the analysis below on the development of Latin America through Foreign Trade & Investment:
José Francisco Mafla and Camilo Castrill at Brigard & Urrutia Abogados explore the development of trade throughout Latin America, and its effect on and importance for the region’s economic growth.
Latin America’s current economic growth levels are among the world’s highest, and the region is preparing its regulations to meet new economic challenges. As such, the fostering of foreign trade and foreign direct investment (FDI) is important to increase GDP growth, create job opportunities, and improve logistics and production. In the pursuit of economic and social development, modern economies are implementing new regulations to develop strategies aimed at attracting new investments and facilitate trade. In this article, we analyse the most important regulatory tools that Latin American countries are developing, with the aim of improving their economic and social conditions, and ultimately consolidating Latin America as a region open to business with favourable conditions for the development of high-value investment projects.
You can read the full analysis on the development of Latin America through Foreign Trade & Investment here: http://www.worldservicesgroup.com/publications.asp?action=article&artid=8912
Please allow me to refer you to the article below on the challenges with international recognition and enforcement of mortgages on ships:
Having practised both as a shipping lawyer and an aviation lawyer for many years, I do find the experience and practice with the Cape Town Convention and aviation finance transactions to be interesting when experiencing the challenges faced by the shipping industry with respect to recognition and enforcement of mortgages. The shipping industry does not have a global legal regime governing these issues in the same way as the aviation industry, and when looking at the OSX-3 matter from last year, where the Brazilian courts have set aside the Liberian first priority mortgage, the need for a global legal regime becomes quite evident.
The fact that the shipping world is yet to adopt an international legal scheme governing recognition and enforcement of rights in ships and offshore units is complicating the financing of such objects, and the mentioned court case in Brazil has cast a shadow over the Brazilian offshore sector which should trouble the international banking community. In this brief article I would like to discuss a little more in detail the challenges caused by the Brazilian judgment and how these challenges could be solved by looking towards the aviation finance sector and the Cape Town Convention.
You can read the full analysis of the solutions offered by the Cape Town Convention and the aviation finance sector here: https://goo.gl/izpyY5.
A few days ago in Washington DC we had the first cocktail of our Trade and Investment Practice Group. It was an excellent opportunity for networking and strengthening relations among delegates of several WSG firms.
The participants to the event were able to meet and network with delegates from around the world and share their experiences, ideas and projects. Networking is a key activity for business growth and development, as it is a great tool to promote you and your firm’s profile, creating new opportunities, and sharing knowledge (which provides an opportunity to learn and avoid pitfalls).
Networking is not about meeting more people, it is about building long-term relationships. Accordingly, networks must be constantly strengthened and improved, and for this purpose, it is important to keep in touch with new acquaintances and nurture relationships.
This is an invitation to remain in contact, share news and opportunities, make use of WSG’s and our practice group’s resources, and prepare for our next year’s gathering in during the 2016 ABA SIL spring meeting to be held in New York City from April 12 until April 16.