The Data Protection Impact Assessment (DPIA) II (Consultation with the Data Subjects and the DPA)
The GDPR contains rules on when controllers are required to prepare a data protection impact assessment (DPIA), when they have to seek the views of data subjects or their representatives on the intended processing and, furthermore, when they are obliged to consult the supervisory authority prior to processing.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the DPIA on 4 April 2017 (WP248), that were then revised on 4 October 2017, and that interpret the respective provisions of the GDPR (Articles 35-36 and Recitals 75-76, 84 and 90-95).
Below you will find a Q&A concerning the issue of seeking the views of data subjects and the prior consultation with the supervisory authority.
1. Who Is Required To Seek The Views Of Data Subjects?
Under the GDPR, where appropriate, the controller is required to seek the views of the data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Thus, a business secret or commercial plan may serve as a ground for an exception to the requirement to seek the views of the data subjects. It is the controller that has to justify and demonstrate that seeking of such views is not required.
2. When Is Tt Required To Seek The Views Of The Data Subjects?
The GDPR provides that the controller is required to seek the views of the data subjects or their representatives on the intended processing, meaning that the seeking of the views has to occur prior to processing.
3. How Should The Controller Seek The Views Of The Data Subjects?
The GDPR is silent on this issue. The WP29 says in its guidelines that the “views could be sought through a variety of means” (e.g. a question or survey sent to the data controller’s potential customers).
In line with the principle of accountability,
- if the data controller’s final decision differs from the views of the data subjects, the reasons for proceeding or not with the data processing activity has to be documented;
- the data controller should also document the reasons why it has not sought the views of data subjects (e.g. doing so would be disproportionate or would endanger the business plans of the company).
4. When Is Tt Required To Consult The Supervisory Authority Prior To Processing?
If the controller is unable to reduce the identified high risks to an acceptable level, i.e. the remaining risks are still high, the controller is required to consult the supervisory authority prior to processing.
Examples of an unacceptable high residual risk:
- where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (e.g. an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial threat);
- when it seems obvious that the risk will occur (e.g. the controller is not able to reduce the number of people accessing the data because of its sharing).
As regards the assessment of the level of the risk, the “Recommendations for a methodology of the assessment of severity of personal data breaches” issued by the European Union Agency for Network and Information Security gives useful and practical guidance.
5. What Information Has To Be Provided To The Supervisory Authority?
The controller is required to provide to the supervisory authority the following information and documents:
(a) the respective responsibilities of the controller, joint controllers and processors involved in the processing;
(b) the purposes and means of the intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects;
(d) the contact details of the DPO, if any;
(e) the DPIA and
(f) any other information requested by the supervisory authority.
6. How Long Does A Consultation Last?
It depends on how the supervisory authority judges the case.
If the supervisory authority is of the opinion that the intended processing would infringe the GDPR (e.g. because the controller has insufficiently identified or mitigated the risk), the supervisory authority must, within a period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller. That period may be extended by six weeks, taking into account the complexity of the intended processing. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
Taking this into account, consultation may last for about 4 months or even more. Controllers are advised to take this into consideration and plan well ahead if they are about to launch a new data processing operation which requires a DPIA.
For further insight please refer to my newly launched blog post here: http://eugdpr.blog.hu/tags/GDPR
In my next post, I will address issues concerning the administrative fine supervisory authorities may impose.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary ([email protected])
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.