Security Measures
Request prior consultation with the data protection authority
In some cases, companies need to request prior consultation with the data protection authority after carrying out an impact assessment. This is stated in Article 36 of the GDPR (EU General Data Protection Regulation).
Prior consultation
Prior consultation means that the company and the data protection authority jointly and in consultation evaluate the intended processing. If the data protection authority considers that the planned processing would violate the GDPR, they may provide written advice. Furthermore, the data protection authority has the right to take the measures that fall within its powers pursuant to Article 58 of the GDPR.
Requesting prior consultation of the data protection authority following an impact assessment
Where there is a high risk to the rights and freedoms of data subjects when processing personal data, the company must carry out an impact assessment.
There are several types of impact assessments. Such as:
Data Protection Impact Assessment (DPIA)
The purpose of this type of impact assessment is to protect the freedoms and rights of data subjects and to prevent risks to the processing of personal data. It is an ongoing documented process that enables the company to comply with GDPR. Thus, it is not an activity that only gets performed once with a clear finish. The process provides support to see if the risks of the processing are proportionate to the purpose of the processing.
Impact assessment on data transfers (TIA)
This type of impact assessment must be carried out before personal data is transferred to a third country outside the EU/EEA that does not have an adequacy decision. Only the European Commission can decide whether a third country ensures an adequate level of protection. The purpose of a data transfer impact assessment is to evaluate the potential risks and consequences for data subjects of a transfer of their personal data to that third country. For example, the risk that the rights of data subjects cannot be met. In addition, it is important to identify appropriate measures to minimise the risks.
Where the risk to data subjects remains high, the company shall request a prior consultation of the national data protection authority before the processing is carried out. Please note that companies must carry out an impact assessment before requesting the prior consultation.
What companies should do before requesting a prior consultation
- Carry out an impact assessment in accordance with Article 35 of the GDPR.
- Take appropriate measures to limit the risks associated with the processing.
- If the risks persist, the company shall request a prior consultation of the national data protection authority.
Information to be provided to the national data protection authority
The requester of the prior consultation needs to provide information on the division of responsibilities. Especially if it's a group of companies. For example, who is the processor, if two or more are joint controllers, etc.
It is important that the purpose of the processing is clearly stated. In other words, why the processing needs to be carried out.
The technical and organisational security measures taken by the company to protect the rights and freedoms of data subjects.
Some companies need to have a data protection officer. However, there are other companies that do not need to have it, but voluntarily choose to have it as a privacy-enhancing measure. Irrespective of the reason why the company has a data protection officer, the contact details of the data protection officer must be provided to the data protection authority.
The company shall submit its documented impact assessment.
After the company has submitted its request for prior consultation with the data protection authority, the data protection authority may request more information in order to make its assessment. In such cases, the company shall provide the requested additional information.
Reply of the data protection authority to the prior consultation
The data protection authority receiving the request for prior consultation has eight (8) weeks to respond. However, they may extend this time limit in certain cases. For example, if the prior consultation concerns a very complex processing of personal data. The data protection authority may extend the time limit for a maximum of six (6) weeks further, but must inform the company of this within one month of receipt of the request.
If the processing is not compliant with GDPR
If the data protection authority finds that the processing does not comply with the GDPR, they can prohibit the processing. Alternatively, they can provide advice on how the company should proceed to comply with GDPR when processing. The data protection authority may also take the other measures set out in Article 58 of the GDPR, which describes the powers of a data protection authority.
In some cases, the company may not receive a response within eight (8) weeks, as the main rule stipulates under the GDPR. For example, it may be because an error has occurred. In other words, this does not mean that the processing is approved by the data protection authority just because they have not given feedback with their response to the case.
XXX
XXX
XXX