Authors: Jens Ambrock and Moritz Karg

 

1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Art. 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2. Where the supervisory authority is of the opinion that the intended processing referred to in para. 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Art. 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. 4Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
3. When consulting the supervisory authority pursuant to para. 1, the controller shall provide the supervisory authority with:

(a)where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

(b) the purposes and means of the intended processing;

(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;

(d) where applicable, the contact details of the data protection officer;

(e) the data protection impact assessment provided for in Art. 35; and

(f) any other information requested by the supervisory authority.

4. Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5. Notwithstanding para. 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

I. Preliminary remarks

Art. 36 ensures the involvement of the SA in the data protection assessment prior to the introduction of procedures, which the controller considers to be lawful, but which nevertheless pose a high risk to the protection of the rights of the data subjects despite the technical and organisational measures taken. The provision is thus closely intertwined with the DPIA pursuant to Art. 35, which is causal for the obligation of prior consultation pursuant to para. 1 (with the exception of para. 5). The provisions in para. 1 and para. 4 form the normative core of the consultation obligation. They provide that not only the controllers are subject to a duty to consult. It is also incumbent on the Member States, according to para. 4, to consult the SAs before regulating processing operations that are significant for data protection. The prior consultation is not standardised as an approval obligation, but as a consultation obligation. Para. 2 and para. 3 define the procedure and the legal consequences of consultation. Para. 5 describes the scope of the national regulatory leeway.

The purpose of Art. 36 is prevention. The data protection conformity of processing operations shall be assessed as far as possible before they start.[1] However, the legal obligation to consult does not apply to all processing operations, but only to those that may pose a particular risk to the rights of data subjects. The prior consultation is thus intended to be an expression of the so-called risk-based approach of the GDPR,[2] according to which regulation only takes place depending on the concrete threat to the rights of the data subjects.[3] The mandatory contact with the SA is in line with the controllers’ obligation to be transparent pursuant to Art. 5 para. 1 lit. a and accountable pursuant to Art. 5 para. 2. Only identifiable risks enable controllers to minimise them efficiently. Prior consultation, together with the DPIA, has an alert function because it requires controllers to be aware of the risks involved in the processing of personal data. By making it compulsory for SAs to be involved in the internal data protection and data protection compliance checks of high-risk procedures, prior consultation includes an element of accountability for controllers.[4]

However, the above only incompletely describe the purpose of Art. 36. Para. 4 additionally stipulates an obligation to consult the SA within the framework of legislative procedures. This does not only apply to risky procedures, but to any form of legal regulation of the processing of personal data. This participation of the SAs, which was already contained in the predecessor provision of Art. 20 para. 3 DPD, aims at the coherent implementation of the GDPR in its entire territorial scope. Ultimately, this is also consistent. Although this is a generally applicable regulation, there are numerous flexibility clauses which could lead to the inconsistent implementation and the inhomogeneous enforcement of data protection law in the individual member states[5] which was already criticised under the DPD. The obligation of prior consultation of the SAs in the legislative process is intended to ensure consistency.[6]

It is recognisable that the aim is to create legal certainty for the controllers and thus indirectly also for the data subjects with regard to the lawfulness of the processing. However, this has only been partially successful, because even in the case of a substantive response (not even mandatory)[7] by the SA to the request for consultation, the controller does not receive a legally binding response from the SAs (→ mn. 25). Art. 36 therefore does not contain a reservation of authorisation,[8] although the legal consequences of the consultation or the options for action of the SA are described in para. 2. They do not go beyond the already applicable framework of powers or consequences of SA action under Art. 58.

The practical relevance of the provision is much less than its wording would suggest. Since data controllers often have no interest in informing the SA, which is equipped with sanctioning and prohibition powers, about processing operations whose lawfulness could be doubtful, the DPIA is usually designed in such a way that it reaches a positive result.[9] In addition, the advisory function of the authority is often not perceived as a great help due to its limited resources.[10]

 

 

 

 

[…]

 

 

 

 

[1]Jandt in Kühling/Buchner, Art. 36 para. 4.

[2]Schrey in Rücker/Kugler (eds), New General Data Protection Regulation, para. 548; Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 47.

[3]Veil, ZD 2015, p. 348.

[4]Cf. Rigaudias/Spina, ‘Article 36 Prior Consultation’ in Kuner/Bygrave/Docksey (eds), The EU General Data Protection Regulation, p. 684.

[5]Cf. Rec. 9, 10.

[6]Hansen in Wolff/Brink (eds), BeckOK DatenschutzR, Art. 36 DS-GVO para. 23.

[7]Hansen in Wolff/Brink (eds), BeckOK DatenschutzR, Art. 36 DS-GVO para. 11.

[8]Nolte/Werkmeister in Gola/Heckmann, Art. 36 para. 14; s.a. von dem Bussche in Plath, Art. 36 para. 1; Rigaudias/Spina, ‘Art. 36’ in Kuner/Bygrave/Docksey, p. 684.

[9]Koglin, ‘Datenschutz-Folgenabschätzung nebst vorheriger Konsultation’ in von dem Bussche/Voigt (eds), Konzerndatenschutz, Chap. 5, para. 52.

[10]Hansen-Oest, PinG 2016, p. 84.