The Belgian Data Protection Authority (the “Belgian DPA”) recently published on its website a form to be completed for prior consultation in the context of a data protection impact assessment (“DPIA”).
Under Article 35 of the EU General Data Protection Regulation (the “GDPR”), data controllers must consult the supervisory authority where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The form must be completed and sent back to the Belgian DPA by email or by mail.
The form, which may be used by companies to request a prior consultation or to cancel a submitted request for prior consultation, includes questions to be answered in case of cross-border activities. Answers to these questions will allow the Belgian DPA to determine whether it should be deemed a lead DPA with respect to a submitted prior consultation request, or to refer the case to the appropriate DPA.
The form also includes queries regarding details of the processing activity, as well as questions to help assess risks related to the processing activity and how the company will manage such risk. If the Belgian DPA concludes that an envisaged processing activity may infringe the GDPR, it will issue an opinion regarding such processing activity within eight weeks. This period may be extended by six additional weeks depending on the complexity of the case.
Together with the form, the Belgian DPA also published a guide to assist companies in determining whether or not they must conduct a DPIA and when they must consult the Belgian DPA following a DPIA.
In the guide, the Belgian DPA notes the three types of “high risk” processing activities that always require a DPIA under the GDPR, as well as the Article 29 Working Party’s list of nine factors to consider when determining whether a processing activity is “high risk.”