§ 57 DSG NRW
Consultation of the State Commissioner for Data Protection and Freedom of Information
(1)The controller shall, prior to the commissioning of newly created filing systems, consult the State Commissioner for Data Protection and Freedom of Information where
(2)1. a data protection impact assessment pursuant to Section 56 indicates that the processing would result in a high risk to the rights of the data subjects if the controller or processor takes no measures to mitigate the risk, or
(3)2. the form of the processing, in particular where new technologies, mechanisms or procedures are used, results in a high risk to the rights of the data subjects.
(4)The State Commissioner for Data Protection and Freedom of Information may draw up a list of processing operations that are subject to the duty of consultation pursuant to sentence 1.
(5)In the case of paragraph 1, the following shall be submitted to the State Commissioner for Data Protection and Freedom of Information:
(6)1. the data protection impact assessment carried out pursuant to Section 56,
(7)2. where applicable, information on the respective responsibilities of the controller, joint controllers and processors involved in the processing,
(8)3. information on the purposes and means of the intended processing,
(9)4. information on the measures and safeguards provided for the protection of the rights of the data subjects, and
(10)5. the name and contact details of the data protection officer.
(11)Upon request, all other information necessary for the State Commissioner to assess the lawfulness of the processing and, in particular, the risks to the protection of the personal data of the data subjects and the related safeguards shall also be submitted.
(12)Where the State Commissioner for Data Protection and Freedom of Information is of the opinion that the planned processing would contravene statutory requirements, in particular because the controller has not sufficiently identified the risk or has not taken sufficient remedial measures, he or she may, within a period of six weeks after initiation of the consultation, submit written recommendations to the controller and, where applicable, the processor as to what measures should still be taken. The State Commissioner for Data Protection and Freedom of Information may extend this period by one month where the planned processing is particularly complex. In this case, the controller and, where applicable, the processor shall be informed of the extension within one month after initiation of the consultation. The period under sentence 1 shall only begin once the mandatory documents to be submitted referred to in paragraph 2, sentence 1, have been submitted in full. The period shall also be suspended for as long as the controller has not submitted all documents requested pursuant to paragraph 2, sentence 2.
(13)Where the intended processing is of significant importance to the controller's performance of tasks and is therefore particularly urgent, the controller may commence processing after the initiation of the consultation but before the expiry of the period referred to in paragraph 3, sentence 1. In this case, the recommendations of the State Commissioner for Data Protection and Freedom of Information shall be taken into account retrospectively. The nature and manner of the processing shall be adapted where necessary.
(14)The State Commissioner for Data Protection and Freedom of Information shall be consulted in the preparation of proposals for legislative measures or regulatory measures based on legislative measures that concern processing within the scope of application of Section 35.