What is prior consultation?
Prior consultation is the obligation for a data controller to consult with the supervisory authority before carrying out processing activities that are likely to result in a high risk to individuals’ rights and freedoms. It is a mechanism designed to ensure that the data controller seeks expert advice from the supervisory authority regarding the potential risks and appropriate safeguards associated with the processing activities.
When do I need prior consultation?
You need to consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.
"First, the controller checks whether data processing may lead to an increased risk for the data subjects. Then, the controller must try to reduce the risk to an acceptable level by taking appropriate measures. If, despite all possible measures, a high residual risk cannot be ruled out, he must consult the supervisory authority."
What information do I need to provide the supervisory authority?
When consulting the supervisory authority, you must provide the supervisory authority with:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings
- the purposes and means of the intended processing
- the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR
- the contact details of the data protection officer
- the data protection impact assessment
- any other information requested by the supervisory authority
Response options of the supervisory authority
If the authority concludes that the proposed processing does not comply with the GDPR, it has the following options:
- issue appropriate written recommendations to the controller or, as the case may be, to the processor
- exercise its powers referred to in Article 58 of the GDPR, such as issuing a warning or giving an order
What is the penalty for not consulting the supervisory authority?
The fine for not consulting the supervisory authority when required, can be up to €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The specific penalties can be influenced by various factors, including the nature of the infringement, the cooperation of the organization, the measures taken to mitigate risks, and the previous compliance history of the organization. Each supervisory authority has the discretion to determine the appropriate penalty based on these factors.
If, in the course of its examination, the supervisory authority concludes that the planned processing does not comply with the GDPR, the authority can issue appropriate recommendations to the controller or processor, give a warning or an order. It also has the power to prohibit the processing operations entirely.
The supervisory authority must provide advice within a period of up to eight weeks (which can be extended to up to 14 weeks).
The consultation with the supervisory authority must be initiated (but not completed) prior to processing.
According to the GDPR, the controller does not have to wait for a reaction of the supervisory authority before beginning with the processing operations. However, national laws may provide for an approval procedure in certain circumstances. In general, it is recommended to wait for a reaction of the supervisory authority.