Article 36 of the GDPR outlines the obligation for data controllers to consult with Supervisory Authorities (SAs) if their processing still poses a high risk to data subjects’ rights, even after applying risk mitigation measures.
When is SA Consultation Required?
According to WP29 guidance, a DPIA must be referred to the SA if residual risks remain high and could:
- Threaten lives
- Lead to mass layoffs
- Jeopardize financial stability
Key aspects of SA review:
- The controller determines if a high residual risk remains.
- Only high-risk DPIAs must be reviewed by the SA.
- Some SAs (e.g., Malta) clarify that they do not approve DPIAs but provide guidance.
- The Czech SA noted a lack of DPIAs submitted for review, suggesting underreporting.
SA’s Role and Response
Once referred, the controller must provide:
- DPIA report
- Processing details (purpose, means, safeguards, etc.)
- Roles of controllers and processors
The SA may:
- Provide written advice
- Use enforcement powers (Article 58 GDPR) if they find GDPR violations
Practical Considerations
- WP29 emphasizes DPIAs must be retained and updated, whether or not an SA review is triggered.
- Some SAs (e.g., Portugal) charge a fee for DPIA consultations.
- The decision to consult the SA is ultimately left to the controller.
Key Takeaways
- SA consultation is only required if residual risk remains high.
- Controllers decide whether to trigger SA review but must justify their decision.
- SAs provide guidance but do not approve DPIAs (except through enforcement action if needed).
- Maintaining and updating the DPIA remains the controller’s responsibility.