Background Image
Previous Page  36 / 176 Next Page
Information
Show Menu
Previous Page 36 / 176 Next Page
Page Background INTRODUCTION REGULATION

34

(94) Where a data protection impact assessment indicates that the

processing would, in the absence of safeguards, security measures and

mechanisms to mitigate the risk, result in a high risk to the rights and

freedoms of natural persons and the controller is of the opinion that

the risk cannot be mitigated by reasonable means in terms of available

technologies and costs of implementation, the supervisory authority

should be consulted prior to the start of processing activities. Such high

risk is likely to result fromcertain types of processing and the extent and

frequencyof processing, whichmay result also ina realisationof damage

or interference with the rights and freedoms of the natural person. The

supervisory authority should respond to the request for consultation

within a specified period. However, the absence of a reaction of the

supervisory authority within that period should be without prejudice

to any intervention of the supervisory authority in accordance with its

tasks and powers laid down in this Regulation, including the power to

prohibit processing operations. As part of that consultation process,

the outcome of a data protection impact assessment carried out with

regard to the processing at issue may be submitted to the supervisory

authority, in particular the measures envisaged to mitigate the risk to

the rights and freedoms of natural persons.

(95) The processor should assist the controller, where necessary and upon

request, in ensuring compliance with the obligations deriving from

the carrying out of data protection impact assessments and from prior

consultation of the supervisory authority.

(96) A consultation of the supervisory authority should also take place in

the course of the preparation of a legislative or regulatory measure

which provides for the processing of personal data, in order to ensure

compliance of the intended processing with this Regulation and in

particular to mitigate the risk involved for the data subject.

(97) Where the processing is carried out by a public authority, except for

courts or independent judicial authorities when acting in their judicial

capacity, where, in the private sector, processing is carried out by a

controller whose core activities consist of processing operations that

require regular and systematic monitoring of the data subjects on a

large scale, or where the core activities of the controller or the processor

consist of processing on a large scale of special categories of personal

data and data relating to criminal convictions and offences, a person

with expert knowledge of data protection law and practices should

assist the controller or processor to monitor internal compliance with

this Regulation. In the private sector, the core activities of a controller

relate to its primary activities and do not relate to the processing of

personal data as ancillary activities. The necessary level of expert

knowledge should be determined in particular according to the data

processing operations carried out and the protection required for

the personal data processed by the controller or the processor. Such

data protection officers, whether or not they are an employee of the

controller, should be in a position to perform their duties and tasks in

an independent manner.

(98) Associations or other bodies representing categories of controllers or

processors should be encouraged to draw up codes of conduct, within

the limits of this Regulation, so as to facilitate the effective application

1 31 32 33 34 35 36 37 38 39 40 41 42 176  FlippingBook