Skill

gdpr-prior-consultation

Guides GDPR Article 36 prior consultation process when DPIA shows high residual risk. Covers documentation requirements, timelines, submission steps, and outcome handling. Activate for high-risk processing or regulatory prep.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin gdpr-compliance-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Article 36 requires controllers to consult the supervisory authority prior to processing where a DPIA under Art. 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and the controller is unable to sufficiently mitigate that risk.

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

memory-forensics

33.0k

Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.

reverse-engineering

binary-analysis-patterns

33.0k

Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.

reverse-engineering

anti-reversing-techniques

33.0k

Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.

1 file

reverse-engineering

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 15, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Conducting Prior Consultation Process

Overview

When Prior Consultation Is Required

Prior consultation is mandatory when all of the following conditions are met:

A DPIA has been conducted under Art. 35.
The DPIA identifies high risks to data subjects' rights and freedoms.
All reasonably available mitigation measures have been applied.
Residual risk remains high despite mitigation efforts.

Required Documentation (Art. 36(3))

The controller must provide:

Respective responsibilities of controller, joint controllers, and processors
Purposes and means of the intended processing
Measures and safeguards to protect data subjects
DPO contact details
The completed DPIA under Art. 35
Any other information the authority requests

Timeline

Phase	Duration	Reference
Authority initial response period	8 weeks from receipt	Art. 36(2)
Extension for complex cases	Up to 6 additional weeks	Art. 36(2)
Maximum total period	14 weeks	Art. 36(2)
Processing commencement	Only after advice received or deadline expired	Art. 36(2)

Consultation Process

Step 1: Pre-Submission Preparation

Verify the DPIA is complete with all Art. 35(7) mandatory elements.
Confirm all available mitigation measures have been documented.
Document why residual risk remains high despite mitigation.
Obtain DPO review and sign-off.
Prepare the submission package with all Art. 36(3) documents.

Step 2: Submission

Submit to the competent supervisory authority (lead authority for cross-border processing under Art. 56).
Use the authority's prescribed format if available.
Retain proof of submission with date stamp.

Step 3: Authority Engagement

Respond promptly to requests for additional information.
Track the 8-week deadline and any extension notifications.
Do not commence processing until advice is received or deadline expires.

Step 4: Outcome Handling

Outcome	Action
Authority approves	Proceed subject to any conditions specified
Authority provides recommendations	Implement recommendations, document compliance
Authority objects or restricts	Do not proceed; revise processing design; resubmit if appropriate
No response within deadline	Document that consultation was submitted and deadline expired; may proceed

Member State Variations

Art. 36(5) permits Member State law to require prior consultation for processing in the public interest, including social protection and public health. Controllers must check local implementing legislation.

Common Reasons for Triggering Prior Consultation

Large-scale biometric identification systems
Systematic public area surveillance with facial recognition
Processing of genetic data at population scale
Automated decision-making with legal or similarly significant effects where mitigation is insufficient
Novel technology processing with unpredictable risk profiles