Only the controller may request prior consultation

PhD. Łukasz Piebiak, Chairman of the Board of the “Lawyers for Poland” Association, submitted a notification to the President of the Personal Data Protection Office regarding a possible breach of data protection rules by the presidents of common courts in connection with the organisation of general assemblies at the courts. He also requested that preliminary consultations be conducted pursuant to Article 36 of the GDPR. However, President Mirosław Wróblewski refused, noting that only a controller may request such consultations.

A letter from judge Łukasz Piebiak was received by the Personal Data Protection Office on April 10, 2026. The letter pointed to the possibility of illegal processing of personal data by the presidents of common courts and requested that measures be taken to prevent this. The matter is related to the upcoming election of the judicial branch of the National Council of the Judiciary. The current ruling coalition has announced that the Sejm (the Lower House of the Polish Parliament) will elect candidates previously nominated by the judicial community. Consequently, the presidents of district and appellate courts are convening general assemblies to select these candidates.

The applicant’s arguments – lack of grounds for processing personal data

The president of the “Lawyers for Poland” Association pointed out that general assemblies are bodies of judicial self-government with powers strictly defined by law. However, no law regulates this body’s participation in elections to the National Council of the Judiciary. Therefore, according to Łukasz Piebiak, the presidents of common courts have no legal basis for evaluating candidates for the National Council of the Judiciary—which also involves the processing of their personal data. Potential unlawful processing, according to the letter, could also extend to the candidates’ representatives and judges who have expressed support for them.

In light of the above, Łukasz Piebiak requested, pursuant to Article 36 of the GDPR, that prior consultations be conducted “regarding the lawfulness of processing personal data, including sensitive data, which includes information about judges’ membership in associations.” The remainder of the letter indicated that these consultations should concern the legitimate interests pursued by the controller (Article 35(7)(a) of the GDPR).

Response from the President of the Personal Data Protection Office: In this case, the association is not the data controller and cannot request prior consultation

In response to the letter described above, Mirosław Wróblewski, President of the Personal Data Protection Office, pointed out that the request cannot trigger the prior consultation procedure referred to in Article 36(1) of the GDPR. As he argues: “The prior consultation procedure was established by the EU legislator for specific situations indicated in that provision and—importantly—the activation of this mechanism is intended to serve the  controller and occurs exclusively at the controller’s initiative.”

The remainder of the response emphasises that this procedure applies if the controller has concerns about a planned process involving the processing of personal data (e.g., the introduction of new technology or a new service within the organisation) and if such a process poses a high risk of infringing upon the rights and freedoms of natural persons. Recital 84 of the GDPR was also cited, which states that: “if the data protection impact assessment indicates that the processing operations result in a high risk which the controller cannot mitigate by appropriate measures, taking into account the state of the art and the cost of implementation, the supervisory authority must be consulted prior to processing.”

The President of the Personal Data Protection Office may not issue legal opinions

Another important passage in this context is Recital 94, which states that: “Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person”.

The President of the Personal Data Protection Office emphasised that a necessary condition for the validity of a request for prior consultation is that it be submitted by a controller who has previously conducted a data protection impact assessment of the planned activity. However, neither the “Lawyers for Poland” Association nor its president are, in this case, the controllers for the judges. Mirosław Wróblewski also pointed out that the President of the Personal Data Protection Office is not an authority empowered to issue legal opinions. An assessment of the compliance of specific actions with personal data protection regulations may only take place within the procedures provided for by that law, in particular within the framework of administrative proceedings.