Review by Supervisory Authorities

Review by Supervisory Authorities

Article 36 of the GDPR outlines the obligation for data controllers to consult with Supervisory Authorities (SAs) if their processing still poses a high risk to data subjects’ rights, even after applying risk mitigation measures.

When is SA Consultation Required?

According to WP29 guidance, a DPIA must be referred to the SA if residual risks remain high and could:

  • Threaten lives
  • Lead to mass layoffs
  • Jeopardize financial stability

Key aspects of SA review:

  • The controller determines if a high residual risk remains.
  • Only high-risk DPIAs must be reviewed by the SA.
  • Some SAs (e.g., Malta) clarify that they do not approve DPIAs but provide guidance.
  • The Czech SA noted a lack of DPIAs submitted for review, suggesting underreporting.

SA’s Role and Response

Once referred, the controller must provide:

  • DPIA report
  • Processing details (purpose, means, safeguards, etc.)
  • Roles of controllers and processors

The SA may:

  • Provide written advice
  • Use enforcement powers (Article 58 GDPR) if they find GDPR violations

Practical Considerations

  • WP29 emphasizes DPIAs must be retained and updated, whether or not an SA review is triggered.
  • Some SAs (e.g., Portugal) charge a fee for DPIA consultations.
  • The decision to consult the SA is ultimately left to the controller.

Key Takeaways

  • SA consultation is only required if residual risk remains high.
  • SAs provide guidance but do not approve DPIAs (except through enforcement action if needed).
  • Controllers decide whether to trigger SA review but must justify their decision.
  • Maintaining and updating the DPIA remains the controller’s responsibility.