Public Consultation

Under Article 35(9) of the GDPR, organizations conducting a Data Protection Impact Assessment (DPIA) must consult with data subjects “where appropriate.” However, this requirement is not absolute and allows controllers to determine whether consultation is necessary.

When is Public Consultation Required?

The GDPR does not define clear criteria for determining when consultation is appropriate. WP29 guidance does not offer a specific test but does require that if an organization chooses not to consult data subjects, it must document its reasoning. WP29 provides three scenarios where consultation would be inappropriate:

Business confidentiality – Where consulting data subjects would reveal commercially sensitive information.
Disproportionate effort – If consultation would require an unreasonable amount of time or resources.
Impracticality – If it is not feasible to consult data subjects (e.g., due to the nature of the processing).

If a consultation is performed and data subjects raise concerns, but the controller disagrees, the WP29 guidance states that the controller should produce a written justification explaining its position.

How Should Public Consultation Be Conducted?

The GDPR gives controllers wide discretion in choosing how to gather feedback from data subjects. Possible methods include:

The Spanish and Norwegian Supervisory Authorities (SAs) emphasize that the purpose of public consultation is not just to collect opinions but to:

Risk Assessment Methodology

Consultation is not always required, but if omitted, the organization must document why.
WP29 identifies three reasons to skip consultation: confidentiality, disproportionate effort, or impracticality.
Controllers have flexibility in choosing how to conduct consultations.
Public consultation should help data subjects understand risks and trade-offs.