Prior consultation

Did a data protection impact assessment (DPIA) show that a processing operation that an organisation intends to perform will entail a great privacy risk? And is this organisation unable to take measures to mitigate this risk? Then the organisation will have to submit the processing operation to the Dutch Data Protection Authority (Dutch DPA). We call this prior consultation.

On this page

Prior consultation (VR)

Prior consultation is sometimes also referred to by the Dutch abbreviation VR.

VR is a legal requirement

The obligation to apply for a prior consultation is laid down in the:
 

  • General Data Protection Regulation (GDPR);
  • Dutch Police Data Act (Wpol);
  • Dutch Judicial Data and Criminal Records Act (Wjsg).

Is VR necessary?

As an organisation, you determine yourself whether a prior consultation is mandatory in your case. Does your organisation have a Data Protection Officer (DPO)? Then the DPO can advise you on this subject.

You decide whether you have to apply to the Dutch DPA for a prior consultation by looking at the outcomes of your DPIA and determine:

  • what the identified and listed privacy risks of your intended processing operation are;
  • what measures you can take to mitigate these risks.

Note: The DPO may advise you, but you, as the controller, must apply for the prior consultation yourself.

Measures possible

Did you manage to establish measures? Then you do not have to apply for a prior consultation.

Example
You want to store personal data on laptops. You take the appropriate technical and organisational security measures for this purpose, such as encryption of the data and access control. You do this in addition to existing privacy policies, such as informing the data subjects about the processing of their personal data, asking for consent and providing access. You do not have to apply for prior consultation.

Measures not possible

Do you not manage to establish measures? So the risk remains high (there is a residual risk)? Then you have to apply to the Dutch DPA for a prior consultation.

An example of an unacceptably high risk is if the processing has significant or even irreversible consequences for the data subjects. And there is nothing that they can do about that and/or it is abundantly clear that the risk will occur.

 Note: You may also be obliged to request prior consultation for a pilot or a test, when you process ‘real’ personal data in the process. That's because the GDPR, Wpol or Wjsg apply in these cases as well. There is no exception for personal data processing operations performed during a pilot or test.

Do you have any questions?

Do you have any questions about the procedure for the prior consultation? Or are you in doubt, for example, as to whether you have to apply for a prior consultation? Then you can discuss that informally with the Dutch DPA on a case-by-case basis.

Legal basis is your own responsibility

It is your own responsibility to determine the legal basis for your processing operation. The Dutch DPA can only inform you about this in a general sense. Or assess (after investigation) in hindsight if the legal basis is sufficient for a specific processing.

The prior consultation is not intended for asking advice about which legal basis you have to choose for your processing. Or for asking whether you have chosen the right legal basis. The prior consultation is intended for submitting the residual risks of a processing operation to the Dutch DPA. A missing or insufficient legal basis is not a residual risk, but concerns the legal basis of the processing.

Apply for VR

As a controller, you can apply to the Dutch DPA for a prior consultation. You do this as follows:

  • Download the Prior consultation application form.
  • Answer all questions that apply to your situation.
  • Send the completed questionnaire to the Dutch DPA. Enclose your DPIA and the advice of the DPO, if any, with your application. Please send all documents to:

    Dutch Data Protection Authority (DPA)
    (Autoriteit Persoonsgegevens)
    Aanvraag voorafgaande raadpleging
    Postbus 93374
    2509 AJ Den Haag.

Note:

  • As long as the Dutch DPA has not yet assessed your application, you are not allowed to start processing the data.
  • The Dutch DPA processes your personal data when you make an application. If you want to know more about this, read the Privacy statement of the Dutch DPA.

The Dutch DPA will only process your application if you have answered all questions that pertain to your situation and you enclose the DPIA and any advice of the DPO with your application.

Application rejected

After receiving your application, the Dutch DPA will first see if the Dutch DPA will process your application. The Dutch DPA will reject your application if:

  • The operation does not involve the processing of personal data.
  • According to the Dutch DPA and/or you as the applicant, the processing operation clearly does not entail, or no longer entails, a high risk. In the latter case, the Dutch DPA will proceed from your own assessment, because you are yourself responsible for compliance with the law. In that case, the Dutch DPA will not perform a substantive assessment.
  • The application only pertains to a possibly missing or incomplete legal basis.
  • The form has not been filled in correctly, and as a result, the information provided is incomplete, contradictory or otherwise unclear.
  • The DPIA is missing, does not meet the requirements, or is implausible.

If the Dutch DPA will not process your application, you will receive a letter about this.

Missing information

Is the Dutch DPA unable to process your application because information is missing? Then this will be in the letter, including which information it concerns. You will then be given the opportunity to supply the missing information within a specified period of time. Do you fail to send the requested information in time? Then the Dutch DPA will not process your application any further, and this will be a final decision.

Substantive assessment of VR

Does the Dutch DPA process your application? Then the Dutch DPA will check first if your intended processing meets the requirements of the GDPR, the Wpol or the Wjsg.

Valid legal basis

A prior consultation is not intended for advice on the legal basis of the processing. The Dutch DPA will therefore not process an application that pertains to this matter only. But the Dutch DPA must assess the legal basis.

Is the legal basis missing or insufficient? Then any processing on this basis is already unlawful from the outset. While measures for mitigating the privacy risks are not possible, because any processing must be based on an adequate legal basis.

Assessing risks

In addition, the Dutch DPA particularly assesses the high-risk aspects of the intended processing and the measures necessary for mitigating the risks.

Cross-border processing

The Dutch DPA also assesses for every application if it involves cross-border processing. And therefore if the Dutch DPA has to collaborate with other EU member states or EU bodies in the assessment of the application.

  • Is the Dutch DPA the lead authority? Then the Dutch DPA will give a response to your application.

Is the Dutch DPA not the lead authority? Then the Dutch DPA will pass on your application to the lead authority. You will then receive a response from that authority.

VR outcomes

The Dutch DPA will inform you in writing of the outcome of the prior consultation. A total of three outcomes are possible:

  1. Positive advice: The Dutch DPA judges that your intended processing operation does in fact violate the GDPR, Wpol or Wjsg, but that measures can be taken to counter the violation. You will be provided with advice by the Dutch DPA. In this advice, the Dutch DPA will indicate why the intended processing infringes the law and which measures or alterations are required for ensuring that this does not happen. You must implement these measures. You are not allowed to start processing until you have done this.
  2. Negative advice: The Dutch DPA finds that it will not be possible to prevent infringement of the GDPR, Wpol or Wjsg. Not even with additional safeguards or measures. The Dutch DPA recommends that you decide not to proceed with the processing altogether. You will only receive a concluding letter then.
  3. Advice not necessary: Advice from the Dutch DPA is not necessary. For example because the risks prove to have been covered sufficiently after all. You will only receive a concluding letter then. And you can start processing right away.

Statutory processing period

When the Dutch DPA processes your application, the statutory processing period starts. This is:

  • GDPR: 8 weeks with a possible extension of 6 weeks, so no more than 14 weeks;
  • Wpol or Wjsg: 6 weeks with a possible extension of 4 weeks, so no more than 10 weeks

The Dutch DPA may extend the periods by the number of weeks stated if your intended processing is very complex.

Dutch DPA needs more information

Does the Dutch DPA need more information when assessing your application? Then the Dutch DPA will ask you to provide this information within a specified period of time. You can request a postponement for this. 
 

  • Does it concern a GDPR processing? Then the processing period will be interrupted if the Dutch DPA requests further information.
  • Does it concern a Wpol processing or a Wjsg processing? Then the processing period will continue if the Dutch DPA requests further information. The Wpol and the Wjsg do not provide for the possibility of interrupting the processing period.

Quick answers

Will the Dutch DPA publish my prior consultation?

No, not in principle. Sometimes, the Dutch DPA may decide to publish the advice on your processing. For example, if this may be of significant value to other organisations. If the Dutch DPA intends to publish the advice, the Dutch DPA will let you know in advance.

What can the Dutch DPA do if I do not observe the rules of the prior consultation?

In the following cases, the Dutch DPA may see a reason to start an enforcement investigation or impose a fine:
 

  • if you do not apply for a prior consultation while this is mandatory;
  • if you have already started processing before or during the prior consultation;
  • if after the prior consultation it turns out that you have processed data contrary to the advice given.

Moet ik als ministerie bij nieuwe wetgeving een voorafgaande raadpleging aanvragen?

No, this is usually not necessary. The obligation to ask the Dutch DPA for a test always applies to legislation on personal data processing, regardless of whether or not there is a high risk (Article 36, paragraph 4 GDPR).

In this legislative test, the Dutch DPA checks the privacy aspects of the intended processing operation. In the methodology of the Dutch DPA, a separate prior consultation would be redundant.

Note: A legislative test from the Dutch DPA is mainly about the legislative text itself. Are there any aspects of the processing operation(s) that have not logically been dealt with already in the legislative text or the explanatory notes? Then these are not part of the test.

There may be issues of a factual nature in the implementation or the implementing systems to which the (national) legislation does not apply. For example, because the regulation is not needed for it or has a different level of abstraction. Or because the subject has fully been covered in the GDPR in principle (such as security of processing in Article 32 GDPR).

Do such subjects result in a high risk? Then you can apply to the Dutch DPA for a prior consultation about them. Did you apply for such prior consultation? Then state this in your request for a legislative test.