Who and in which situations is obliged to submit a request for a prior consultation?
According to the provisions of the GDPR, the controller may request a prior consultation (Art. 36(1) of the GDPR). The Act on the Protection of Personal Data also included processor to the entities that may apply with a request to hold prior consultations (Art. 57 §1 of the Act on the Protection of Personal Data).
A request for prior consultation should be made in a situation where a data protection impact assessment (DPIA) from the list of examined processing operations includes operations which are likely to result in a high risk to the rights and freedoms of natural persons and when the controller cannot find sufficient measures to reduce (mitigate) the risk to an acceptable level (Art. 36 of the GDPR).
Then, prior to data processing, the results of the assessment should be consulted with the supervisory authority, unless the controller decides not to process the data, e.g. not to introduce a new service.
Therefore, it should be emphasized that if the conducted DPIA showed that the processing will not result in a high risk, then there is no reason to ask the authority for prior consultation. (Art. 36(1) of the GDPR).
Prior consultation is a tool for cooperation between the supervisory authority and the controller. The purpose of prior consultations is to provide the best possible safeguards for personal data processing operations by the controller in cooperation with the supervisory authority.
