The GDPR.pl portal has approached supervisory authorities from EU countries with a series of questions, one of which concerned the number of requests for prior consultation. This study is therefore based only on the answers and numbers sent to us.
Article 36 of the GDPR provides that where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate that risk, the controller shall consult the supervisory authority prior undertaking such processing.
In the reply sent to us, the Polish supervisory authority indicates that:
A request for prior consultation may be necessary in the specific situations referred to in Article 36 of the GDPR, i.e. where the processing would result in a high risk of infringement of the rights or freedoms of individuals, and the controller is of the opinion that this risk cannot be minimised by reasonable measures in terms of available technology and implementation costs. Therefore, a precondition for requesting prior consultation of the supervisory authority is that the controller should carry out a prior data protection impact assessment in order to assess the risk of infringement of individuals’ rights and freedoms. If this assessment reveals a high risk of infringement of individuals’ rights or freedoms, and the controller considers that this risk cannot be mitigated by the means available to it in terms of technology and implementation costs, then the controller must consult the President of the Office for Personal Data Protection. Therefore, in order for it to be necessary to request prior consultation with the President of the Office for the Protection of Personal Data, there must be this exceptional situation in which the controller or joint controllers will not be able to find the right optimal solution for the secure processing of personal data in the planned processing operations.
Whoever consults does not take risk
It should first be pointed out that Article 36 of the GDPR grants the controllers a useful tool which, in the case of processing where a high risk of infringement of the rights and freedoms of data subjects is identified, makes it possible to obtain a binding position of the supervisory authority. If it considers that such intended processing would infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risks, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice and may use any of its powers referred to in Article 58 of the GDPR. That period may be extended by six weeks, taking into account the complexity of the intended processing.
And there are no conclusions
The small number of requests made by European controllers is somewhat surprising. In Germany in particular, where the local supervisory authorities in the various federal states are extremely efficient, only one such request has been made so far. In contrast, Finnish SA has got 90 requests, Croatian – 35 (!), Swedish – 30, the United Kingdom’s – 10, Latvian and Icelandic – 5 each of them. What is interesting, the Scandinavian neighbours, i.e. Sweden and Finland, together dominated this list (around 65% of the requests for prior consultation submitted).
Such situation may result, on the one hand, from the nature of the procedure itself, which presupposes the presentation of a detailed picture of the processing to the supervisory authority, and, on the other hand, to the failure to carry out reliable risk analysis and data protection impact assessment, during which processing requiring prior consultation would be identified.
Our practice also shows that in Poland, the lack of requests is often due to a fear of reaction of the supervisory authority, which recently seems to be willing to use the instrument of administrative fines. Managers are reluctant to contact the authority, which could potentially have a negative impact on their current or planned business operations. This attitude, however, completely disregards the fact that the controller consults the supervisory authority prior the processing is launched and receipt of binding opinion de facto eliminates the risk of the authority subsequently considering the processing as infringing the GDPR.
Fear of administrative fines?
In seeking an answer to the question of why in Poland no one consults the supervisory authority, and in Scandinavia it is, so to speak, quite common, we started by analysing the interdependence with the imposition with administrative fines. Can the fear of fine be the reason for so few requests for prior consultation? In Finland, only five administrative fines have been imposed, while in Germany it is already 26, which could support the theory. In Poland only 9 penalties have been imposed so far, in Iceland and Latvia – 2 fines in each country, and in the United Kingdom barely 3 fines. We seem to have not enough amount of data available to us to establish a cause-and-effect relationship here, but certainly in the case of several countries, we can talk about a relationship between the two factors – a small number of penalties = more requests for prior consultation. You can also look at this issue from the other side – a lot of the prior consultations result in few penalties being imposed (for example, in Finland, where 5 administrative fines have been imposed and where 90 requests for prior consultation have been made).
It is more difficult to link the number of prior consultations to the total amount of imposed fines –while in the case of Finland (where the SA imposed fines amounting to a total of EUR 200 000) a clear link can be found to confirm this theory, situation in the United Kingdom or Norway do not seem to confirm it at all.
The information we have collected does not inspire optimism and allows us to conclude that the prior consultation mechanism is still not very popular, despite the obvious benefits for the controllers. This is a pity because it is a very well-conceived mechanism to support the controllers in implementing the principle of data protection by design. Above all, we should be encouraged to do so by the supervisory authorities, rewarding the ‚brave ones’ with a quick and substantive advices bearing that that both parties should be equally interested in protecting the rights of data subjects.
However, the problem seems to be more complex and ambiguous. In the opinion of the Personal Data Protection Office, data controllers incorrectly comply with the provisions of personal data protection law. In its reply to us, the Office states that:
The procedure of prior consultation is highly formalised, i.e. in addition to the requirements set out in Article 63 of the Code of Administrative Procedure, such a request must contain at least the information listed in Article 36(3) of the GDPR. If the request does not comply with these requirements, the President of the Office shall inform about the non-provision of the consultation, indicating the reasons (pursuant to Article 57(3) of the Personal Data Protection Act).
The fact that so far the President of the Office has not provided any advice to requests for prior consultations referred to in Article 36 of the GDPR does not mean that such requests have not been considered. The first such request was submitted back in October 2018, however, due to the fact that it did not meet formal requirements (e.g. incorrect power of attorney, lack of elements specified in Articles 36 and 35 of the GDPR), the President of the Personal Data Protection Office did not provide advice in that case.
Moreover, the President of the Personal Data Protection Office has received a very few letters entitled „request for prior consultation”, but after their analysis it turned out that they concern doubts related to processing of personal data in specific described situations. This may mean that the controllers, both from the private and public sector, often confuse the formalised procedure of prior consultation with a situation where they only want to obtain a position on a specific case from the President of the Personal Data Protection Office.
Where is the problem, then, on the part of the controllers, who do not know how to submit a request and are afraid of this institution, or on the part of the Office that has not implemented encouragement mechanisms and has not carried out an educational campaign? As you can see, there is such a need on the part of the controllers and the DPOs. We leave the question open, but it is worth looking at the problem in the future.It remains to be hoped that good practices from Finland, Croatia or Sweden will become more popular in other EU Member States over time. We would not want prior consultation to share the fate of certification, which is considered to be the greatest disappointment of the market with regard to the GDPR.
Finally, it is worth quoting an excerpt from the Office’s position, which sums up our analysis well:
When it comes to the assessment of the institution of prior consultation itself, it seems to be a good idea to include it in the GDPR, as it is intended, in a way, to help controllers to develop a proper strategy for the protection of personal data. Despite the fact that the controllers are fully free to choose the security measures to be applied for the protection of personal data, this institution envisages situations where none of these measures may be appropriate. The GDPR therefore does not leave the controllers alone in such circumstances and gives them a tool to obtain assistance from the supervisory authority.
Our next publications will be on data protection officers – also a very hot topic. So we invite you to follow our publications next week, we promise it will be very interesting.
Tomasz Osiej, Michał Czarnecki