What consultations should occur prior to high-risk processing?

What consultations should occur prior to high-risk processing?

Different types of consultations must occur prior to high-risk processing:

  • Where appropriate, the views of individuals or their representatives on the intended processing must be sought as long as the commercial or public interests and the security of processing operations are protected. 
  • When carrying out a data protection impact assessment (DPIA), the advice of the data protection officer (DPO), if one has been designated, must be sought.
  • The supervisory authority must be consulted prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.  In such a consultation, the supervisory authority must be provided with:
    • Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
    • The purposes and safeguards provided to protect the rights and freedoms of individuals;
    • Where applicable, the contact details of the DPO;
    • The DPIA; and
    • Any other information requested by the supervisory authority.

If the supervisory authority is of the opinion that the intended processing would infringe the GDPR, in particular where the risk has been insufficiently identified or mitigated, the supervisory authority, within eight weeks of receipt of the request for consultation (Time Period), must provide written advice.  Taking into account the complexity of the intended processing, the Time Period may be extended by six weeks (collectively Time Periods), and notification of any such extension and the reasons for the delay must be provided within one month of receipt of the request for consultation.  The Time Periods may be suspended until the supervisory authority has obtained the information it has requested for the purposes of the consultation.   

In addition, Member State law may require consultation, and prior authorization from, the supervisory authority in relation to processing for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.

This blog is the 32nd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Records of Processing Activities

Leave a comment

Your email address will not be published. Required fields are marked *