Acts 2017
499
(4) Where appropriate, the controller or processor shall seek
the views of data subjects on the intended processing, without prejudice
to the protection of commercial or public interests or the security of the
processing operations.
35.
Prior authorisation and consultation
(1) Every controller or processor shall obtain authorisation from
the Office prior to processing personal data in order to ensure compliance
of the intended processing with this Act and in particular to mitigate the
risks involved for the data subjects where a controller or processor cannot
provide for the appropriate safeguards referred to in section 36 in relation
to the transfer of personal data to another country.
(2) The controller or processor shall consult the Office prior to
processing personal data in order to ensure compliance of the intended
processing with this Act and in particular to mitigate the risks involved for
the data subjects where –
(a)
a data protection impact assessment as provided for
in section 34 indicates that processing operations are
by virtue of their nature, scope or purposes, likely to
present a high risk; or
(b)
the Office considers it necessary to carry out a prior
consultation on processing operations that are likely to
present a high risk to the rights and freedoms of data
subjects by virtue of their nature, scope or purposes.
(3) Where the Office is of the opinion that the intended processing
does not comply with this Act, in particular where risks are insufficiently
identified or mitigated, it shall prohibit the intended processing and make
appropriate proposals to remedy such non-compliance.
(4) The Office shall make public a list of the processing
operations which are subject to prior consultation in accordance with
subsection (2)(b).