Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

Data Protection & Cyber Security

Russia Small Flag Russia

As per Russian data protection laws, there are no mandatory or recommended consultations with the regulators on the aspects of compliance. Roskomnadzor regularly arranges “days of open doors” where representatives of Roskomnadzor express their views on actual issues of privacy and their interpretation of the laws, as well as answers the questions from the public. These are not binding though, since Roskomnadzor is the authority having administrative powers in the field of data protection and is not competent to issue normative acts in this field.

Argentina Small Flag Argentina

The Data Protection Authority accepts consultations, and will issue its opinion in response. However, consultations are not required by law. They could be advisable depending on the circumstances of a given case.

Brazil Small Flag Brazil

There is no legal provision requiring consultation with regulators to process personal data. However, the national data protection authority, as of August 2020, will be the entity responsible for answering questions and queries regarding personal data.

Bulgaria Small Flag Bulgaria

In accordance with Article 36, para. 1 GDPR the data controller is required to consult the data protection authority (DPA) prior to the processing, in cases where the performed data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. In addition, the PDPA implements the possibility left for Member States under Article 36, para. 5 GDPR and requires that prior consultation takes place when personal data are processed through the performance of a task in the public interest, including in relation to social protection and public health (Article 12, para. 2 PDPA). The prior consultation is performed pursuant to the procedures under Article 36, para. 2 and 3 GDPR.

Switzerland Small Flag Switzerland

Consultations are not required pursuant to the current FADP. However, it is quite common to contact the FDPIC and discuss with him specific data processing activities or the interpretation of a provision by the FDPIC. The communication is conducted on a no-name-basis, i.e. the client is not mentioned. The FDPIC is quite easy to reach.

Spain Small Flag Spain

As a general obligation of the Controllers or Processors, a prior consultation with the Data protection authority is established when a data processing, after having been analyzed under a data protection impact assessment (DPIA), results in a high risk in the absence of measures taken by the controller to mitigate the risk.

Chile Small Flag Chile

NO, because there is no Data Protection Officer in Chile, yet.

Germany Small Flag Germany

According to Art. 35 GDPR, the supervisory authority should be consulted if a data protection impact assessment (DPIA) shows that the processing involves a high-risk potential and if the measures used by controller have not been efficient to minimize the risks.

The consultation as such does not constitute an authorization procedure for the processing operations and failing to do so does not lead to the unlawfulness of the data processing. However, the violation of this provision may be punished with fines of up to 10 million EUR or up to 2% of the worldwide annual turnover (see Art. 83(4)(a) GDPR). In view of these high possible fines, the consultation obligation is likely to have the effect of a de facto authorization procedure.

India Small Flag India

The Privacy Rules do not mention any consultation requirements with MeitY, or any other authority.

We have identified below some scenarios where consultation may be undertaken or where interaction with the authorities will be required: -

(a) In case of information security breach - The Privacy Rules prescribe that the affected body corporate will need to demonstrate that it has implemented security control measures as per its information security programme and policies.35

(b) Prior to introducing a new legislation – MeitY often publishes consultation papers / draft legislations and seeks comments from the public. The private sector, particularly affected entities, exhibit active involvement in this process.36

(c) In case information is requested by authorized Government agencies including CERT (as defined below): In specific events such as prevention and detection of cyber security incidents, emergency measures for handling cyber security incidents, prosecution of offences, national security, etc.

35 - We have provided further details in relation to information security programme and policies in our response to Query 16 below.

36 - Please note that this is not a mandatory legal requirement.

China Small Flag China

Current laws and regulations in China do not have prior consultation requirement like GDPR.

Indonesia Small Flag Indonesia

In general, there is no mandatory obligation for ESO to conduct consultation with regulators regarding collection and processing of personal data. However, please be informed that in certain circumstances such as cross-border transfer of Personal Data from Indonesia to abroad, ESO is required to coordinate with MCI or any relevant Supervisory Agency or Sectoral Regulator (if any). Please see our answer on point 15 regarding cross-border transfer.

Portugal Small Flag Portugal

Consultations with the CNPD are required prior to processing only where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (article 36 of the GDPR).

United Kingdom Small Flag United Kingdom

A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals.

If, in the DPIA, a controller identifies a high risk that they cannot mitigate or reduce, they must consult with the Information Commissioner's Office (ICO) prior to commencing the processing. When consulting the ICO, a controller shall provide details of:

  • where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects;
  • where applicable, the contact details of the data protection officer;
  • the data protection impact assessment; and
  • any other information requested by the ICO.

The ICO will respond within eight weeks of the request for consultation and provide written advice to the controller. Where appropriate the ICO can issue a warning not to process the personal data.

Sweden Small Flag Sweden

According to article 36 of the GDPR, the controller is required to consult the Swedish Data Protection Authority prior to processing where a so-called data protection impact assessment (see explanation of what this means below under question 10) indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Greece Small Flag Greece

Article 36 of the GDPR refers to the controller’s obligation to consult the supervisory authority. More precisely, article 36 par. 1 provides that the controller shall consult the supervisory authority prior to processing where a data protection impact assessment (hereinafter, “DPIA”) indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Article 13 par. 1 of the draft law provides for an explicit obligation to consult the supervisory authority about any provision to be included in a law or a delegated act which concerns the processing of personal data.

Paragraph 2 of the aforementioned article refers to specific examples where the consultation of the supervisory authority is obligatory. Such examples include: the introduction and processing of a national identity number or of other identity identifier of general application or a change in the terms and conditions of such processing and use of the above and related with the above personal data, the systematic processing on a large-scale of personal data concerning health and public health in the public interest, the systematic processing on a large-scale of personal data concerning health for health or social care systems and services management purposes, the systematic processing on a large scale of genetic or biometric personal data, the systematic processing on a large scale of personal data with the purpose of introduction, organization, provision and control over the e-government services as well as the systematic processing on a large scale of personal data concerning the financial situation and behavior and the creditworthiness of natural persons.

In addition to the above, obligatory consultation of the supervisory authority may arise under article 31 of the GDPR, as well as in the case of a personal data breach under article 33 par. 3 (b) of the GDPR.

Turkey Small Flag Turkey

There are no specific provisions under the local legislation directly requiring consultations with the regulatory authority. However, considering that data privacy regulations are rather new and the industry practices are ever-evolving, it is recommended to establish balanced dialogues with the regulatory authority.

Austria Small Flag Austria

Legal consultation obligations with the Data Protection Authority exist within the framework of the GDPR (art. 36 GDPR). In the case of complex factual matters or legal issues, however, it may be advisable to seek informal discussions with the Data Protection Authority.

France Small Flag France

A controller must carry out a data protection impact assessment ('DPIA') if the processing is likely to result in a high risk to individuals (GDPR, Article 35). For more information about DPIA please see question 10.

If, in the DPIA, a controller identifies a high risk that it cannot mitigate or reduce, it must consult with the CNIL prior to commencing the processing (GDPR, Article 36).

When consulting the CNIL, a controller shall provide details of:

  • where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects;
  • where applicable, the contact details of the data protection officer;
  • the data protection impact assessment; and
  • any other information requested by the CNIL.

The CNIL will respond within eight weeks of the request for consultation and provide written advice to the controller. Where appropriate, the CNIL can issue a warning not to process the personal data.

More details on the DPIA are provided for in Article 35 of the GDPR and on the CNIL website.

United States Small Flag United States

Consultations with regulators regarding privacy and data security matters are not generally required in the U.S., and unlike in other countries, U.S. regulators are not data protection authorities of general application. Entities in certain regulated industries, such as health or financial services, may have routine or compulsory consultations with their federal or state regulators that include discussions concerning privacy or data security matters, although the underlying purpose of the consultation is focused on other issues. Although not formally recommended in most cases, it may be advisable to consult with a regulator under certain circumstances. For example, a company that has experienced a serious data security incident and is investigating in preparation for a large-scale notification may wish to inform the relevant state or federal regulatory agencies of its investigation and notification plan to avoid post-notification inquiries regarding timing or delays.

Malaysia Small Flag Malaysia

Referring to Section 26(2) PDPA, consultation with the Commissioner is conducted before a code of practice is revised, wherein the Commissioner would consult with the relevant body representative of data users to which the code of practice apply. Section 14(2) PDPA requires similar consultations with potential representative of data users before making his recommendation relating to the class of data users to be subjected to registration under PDPA.
                            
                     

Gibraltar Small Flag Gibraltar

In the event that a data controller undertakes a DPIA and its results indicate that the proposed processing of data puts the rights and freedoms of data subjects at high risk of being breached, the data controller must consult with the GRA (Article 36(1) of GDPR).

Ireland Small Flag Ireland

A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals.

If, in the DPIA, a controller identifies a high risk that they cannot sufficiently mitigate or reduce, they must consult with the DPC prior to commencing the processing. When consulting the DPC, a controller must provide details of:

  • where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects;
  • where applicable, the contact details of the data protection officer;
  • the data protection impact assessment; and
  • any other information requested by the DPC.

The DPC is required to respond within eight weeks of the request for consultation and provide written advice to the controller (the period may in certain circumstances be extended). Where appropriate, the DPC may exercise its powers in respect of the proposed processing (such as issuing a warning not to process the personal data).

Japan Small Flag Japan

No.

However, companies often voluntarily consult with Personal Information Protection Commission when they are not sure of how the Japanese personal data protection act shall be interpreted or when data breach occurs.

Updated: September 16, 2019