Who and in which situations is obliged to submit a request for a prior consultation?
According to the provisions of the GDPR, the controller may request a prior consultation (Art. 36(1) of the GDPR). The Act on the Protection of Personal Data also included processor to the entities that may apply with a request to hold prior consultations (Art. 57 (1) of the Act on the Protection of Personal Data).
Then, prior to data processing, the results of the assessment should be consulted with the supervisory authority, unless the controller decides not to process the data, e.g. not to introduce a new service.
Therefore, it should be emphasized that if the conducted DPIA showed that the processing will not result in a high risk, then there is no reason to ask the authority for prior consultation. (Art. 36(1) of the GDPR).
Prior consultation is a tool for cooperation between the supervisory authority and the controller. The purpose of prior consultations is to provide the best possible safeguards for personal data processing operations by the controller in cooperation with the supervisory authority.
Revised list of operation types requiring a data protection impact assessment.
Processing activities related to offering goods or services to data subjects require a data protection impact assessment. Such obligation also exists when controllers monitor the behavior of persons in several Member States.
The Announcement of the President of the Personal Data Protection Office of 17 June 2019 on the list of personal data processing operation types requiring an assessment of the impact of the envisaged processing operations on the protection of personal data was published in the Monitor Polski (Official Gazette of the Republic of Poland on 8 July 2019.
Pursuant to Article 35(4) of the GDPR the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. The published list contains 12 categories of types of processing operations, together with examples of operations where there may be a high risk to the rights and freedoms and examples of potential areas covering these operations.
As a general rule, processing that meets at least two of the indicated criteria will require a data protection impact assessment. In some cases, however, a controller may consider that processing meeting only one of the listed criteria will require a data protection impact assessment. The more criteria a processing meets, the more likely is a high risk to the rights and freedoms of data subjects, and consequently, regardless of the measures that the controller foresees to apply, a data protection impact assessment will be required.
Example: A controller offers a cloud-based sports performance monitoring system that works with smart bands to record heart rate data (processing of special categories of personal data - item 4 of the list) and location data (processing of location data - item 12 of the list).
This list has been updated after taking into account the opinion issued by the European Data Protection Board and also includes processing activities related to offering goods or services to data subjects or monitoring their behavior in several Member States or which may substantially affect the free flow of personal data within the European Union.
Issuing of the Announcement of the President of the Personal Data Protection Office is based on Article 54(1)(1) of the Act on the Protection of Personal Data in conjunction with Article 35(4) and (6) of GDPR. The list is annexed to the Announcement of the President of the Personal Data Protection Office available at: http://monitorpolski.gov.pl/MP/2019/666.