Data Protection Act 2018

84.

Data protection impact assessment and prior consultation with Commission

84. (1) Where having regard to its nature, scope, context and purposes, a type of processing, and in particular a type of processing using new technology, is likely to result in a high risk to the rights and freedoms of individuals, the controller that is proposing to carry out the processing shall conduct an assessment of the likely impact of the proposed processing operations on the protection of personal data (in this Part referred to as a “data protection impact assessment”) prior to carrying out the processing.

(2) A data protection impact assessment carried out in accordance with subsection (1) shall include:

(a) a general description of the proposed processing operations to which it relates;

(b) an assessment of the potential risks to the rights and freedoms of data subjects as a result of the proposed processing; and

(c) a description of any safeguards, security measures or mechanisms proposed to be implemented by the controller to mitigate any risk referred to in paragraph (b) and to ensure the protection of the personal data in compliance with this Part.

(3) Where—

(a) it appears to a controller, having conducted a data protection impact assessment, that the processing concerned would, despite the implementation of safeguards, security measures or mechanisms referred to in subsection (2)(c), result in a high risk to the rights and freedoms of individuals, or

(b) the controller proposes to carry out processing of a type prescribed by the Commission under subsection (9),

the controller shall, prior to commencing the processing, consult the Commission by request in that regard in writing.

(4) A controller shall, when making a request under subsection (3), provide the Commission with—

(a) the data protection impact assessment conducted in relation to the processing concerned, and

(b) any other information required by the Commission to enable it to assess—

(i) the potential risks to the rights and freedoms of individuals arising from the proposed processing, and

(ii) the compliance of the proposed processing with this Part.

(5) The Commission shall, where it is of the view that the proposed processing would not comply with this Part, in particular where it is of the view that the controller has insufficiently identified or mitigated the potential risks to the rights and freedoms of individuals arising from the proposed processing, issue written advice in relation to the processing to the controller and, where applicable, any proposed processor.

(6) Subject to subsection (8), where the Commission issues written advice pursuant to subsection (5), it shall do so within a period of 6 weeks from the date on which it receives the request under subsection (3).

(7) For the purposes of responding to a request under subsection (3), the Commission may use any of its powers referred to in Chapter 4 of Part 6.

(8) Where, taking into account the complexity of the proposed processing, the Commission is of the opinion that it requires additional time to consider a request made under subsection (3), it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (6) by such further period not exceeding one month as it may specify by notice in writing to the controller concerned.

(9) The Commission may, following consultation with the Minister, make regulations prescribing a type of processing for the purposes of subsection (3)(b) as a type of processing in relation to which a controller shall consult the Commission prior to commencing the processing.

(10) The Commission shall, when prescribing a type of processing under subsection (9), have regard to—

(a) the nature, scope and purposes of the type of processing,

(b) the type of processing involved, in particular where the use of new technology is likely to result in a high risk to the rights and freedoms of individuals,

(c) the likelihood of any such risks arising and the severity of such risks, and

(d) any submissions received pursuant to subsection (11)(c) in relation to the proposed regulations.

(11) The Commission shall, prior to making regulations under subsection (9), publish a notice on the website of the Commission and in at least one daily newspaper circulating generally in the State—

(a) indicating that it proposes to make regulations under this section,

(b) indicating that a draft of the regulations is available for inspection on that website for a period specified in the notice, being not less than 28 days from the date of the publication of the notice in the newspaper, and

(c) stating that submissions in relation to the draft regulations may be made in writing to the Commission before a date specified in the notice, which shall be not less than 28 days after the end of the period referred to in paragraph (b).

(12) Where there is a proposal for a legislative measure for which a Minister of the Government is responsible that relates to the processing of personal data, the relevant Minister shall consult with the Commission during the process of the preparation of the legislative measure.