Prior consultation

Prior consultation refers to where a controller needs to consult the competent data protection authority before beginning to process personal data.

A prior consultation is required whenever an impact assessment shows that the envisaged processing would result in a high risk to data subjects and the controller has been unable to introduce measures to lower the risk. A prior consultation cannot take place until the controller has carried out a data protection impact assessment.

The competent data protection authority must be consulted, for example, if data subjects could face significant or irreversible consequences that they may not be able to overcome.

For example:

  • unlawful access to data that would endanger data subjects’ life, employment or financial position
  • the risk is almost certain to materialise ‒ there is no way, for example, to reduce the number of individuals who can access the data due to the means of sharing, using or disseminating the data or the known vulnerabilities cannot be rectified.

Moreover, controllers must always consult the competent data protection authority in situations where national laws obligate them to consult with, and/or obtain prior authorisation from, the competent data protection authority.

The Finnish Data Protection Ombudsman responds to prior consultations by providing the controller or processor with written advice on the measures that must be taken to lower the risk. If necessary, the Data Protection Ombudsman can also use the prior consultation procedure to exercise its powers under the General Data Protection Regulation and issue warnings, for example. Controllers and processors have a duty to implement the additional measures indicated by the Data Protection Ombudsman before beginning to process personal data in order for the processing to be deemed lawful.