Art. 36
1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2. Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
3. When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings
b) the purposes and means of the intended processing;
c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
d) where applicable, the contact details of the data protection officer;
e) the data protection impact assessment provided for in Article 35; and
f) any other information requested by the supervisory authority.
4. Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
|
Art. 34
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
2. The controller or processor acting on the controller's behalf shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
(a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks; or
(b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
3. Where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
4. The supervisory authority shall establish and make public a list of the processing operations which are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
6. The controller or processor shall provide the supervisory authority with the data protection impact assessment provided for in Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
7. Member States shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
|
Art. 34
1. (…)
2. The controller (...) shall consult the supervisory authority prior to the processing of personal data where a data protection impact assessment as provided for in Article 33 indicates that the processing would result in a high (...) risk in the absence of measures to be taken by the controller to mitigate the risk.
3. Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 2 would not comply with this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, it shall within a maximum period of 6 weeks following the request for consultation give advice to the data controller , in writing, and may use any of its powers referred to in Article 53 (...). This period may be extended for a further six weeks, taking into account the complexity of the intended processing. Where the extended period applies, the controller or processor shall be informed within one month of receipt of the request of the reasons for the delay.
4.(...)
5.(...)
6.When consulting the supervisory authority pursuant to paragraph 2, the controller (...) shall provide the supervisory authority, with
(a) where applicable, the respective responsibilities of controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
(b) the purposes and means of the intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
(d) where applicable , the contact details of the data protection officer;
(e) the data protection impact assessment as provided for in Article 33; and
(f) any (...) other information requested by the supervisory authority (...).
7. Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure adopted by a national parliament or of a regulatory measure based on such a legislative measure which provide for the processing of personal data (...).
7a. Notwithstanding paragraph 2, Member States' law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to the processing of personal data by a controller for the performance of a task carried out by the controller in the public interest, including the processing of such data in relation to social protection and public health.
8. (...)
9. (...)
|
Art. 20
1. Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof.
2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory authority.
3. Member States may also carry out such checks in the context of preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which define the nature of the processing and lay down appropriate safeguards.
|
Article 16
Notification Obligation
(1) Whoever intends to process personal data as a controller or alter the registered processing pursuant to this Act, with the exception of the processing mentioned pursuant to Article 18, shall be obliged to notify in writing the Office of this fact before carring out the personal data processing.
(2) The notification must include the following information:
(a) the identification data of the controller, i.e. in case of natural person who is not an entrepreneur his first name or names, surname, date of birth and address of permanent residence; in case of other subjects their trade, corporate or other name, seat and identification number if assigned, and name, eventually first names and surnames of persons that are their statutory representatives;(b) the purpose or purposes of processing;
(c) the categories of data subjects and of personal data pertaining to these subjects;
(d) the sources of personal data;
(e) a description of the manner of personal data processing;
(f) the location or locations of personal data processing;
(g) the recipient or category of recipients;
(h) the anticipated personal data transfers to other countries;
(i) the description of measures adopted to ensure the protection of personal data pursuant to Article 13;
(3) If the notification includes all essentials pursuant to paragraph 2 and no proceeding pursuant to Article 17(1) has been initiated, the personal data processing may start after the expiration of 30 days from the delivery of the notification. In such case the Office records the information stated in the notification into the register.
(4) If the notification does not include all essentials pursuant to paragraph 2, the Office shall send without delay a reminder to the notifying subject in which he shall make reference to the missing or insufficient information and set a deadline for supplementing the notification. In case the notification is being supplemented, running out the time limit pursuant to paragraph 3 shall begin as of the day of delivery of the notification supplement. If the Office does not receive the notification supplement within the set deadline, the notification shall be regarded as if it has not been submitted.
(5) Upon the request from the controller the Office shall issue a certificate which includes date of issuance, reference number, first name, surname and signature of the person by whom the certificate has been issued, official stamp, identification data of the controller and purpose of processing.
(6) If, pursuant paragraph 1, the notification concerns a processing subjected to investigation, the Office refuses to enter it into the register. The Office shall do the entry as soon as the investigation is closed.
|