Guidance on the application of Article 36(4) of the General Data Protection Regulation (GDPR)
Guidance for public authorities on their obligation to consult with the Information Commissioner's Office (ICO) on any proposals for legislative or statutory measures they are developing which involve the processing of personal data.
Documents
Details
Article 36(4) of the GDPR states that “Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing”.
This is a legally binding requirement on all relevant public sector organisations, and failure to adequately consult with the ICO on such proposals would constitute a breach of the GDPR. This obligation will continue to apply via relevant domestic legislation following the UK’s departure from the EU.
This guidance sets out a process by which all relevant public bodies should consult with the ICO to fulfil their obligations in respect of this requirement. The consultation process is consistent with established Cabinet Office consultation principles.
Updates to this page
Last updated 29 November 2023 + show all updates
-
Updated page ownership from the Department for Digital, Culture, Media and Sport to the Department for Science, Innovation and Technology.
-
Added translation