Skill

gdpr-prior-consultation

Guides GDPR Article 36 prior consultation process when DPIA shows high residual risk. Covers documentation requirements, timelines, submission steps, and outcome handling. Activate for high-risk processing or regulatory prep.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Article 36 requires controllers to consult the supervisory authority prior to processing where a DPIA under Art. 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and the controller is unable to sufficiently mitigate that risk.

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 15, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Conducting Prior Consultation Process

Overview

When Prior Consultation Is Required

Prior consultation is mandatory when all of the following conditions are met:

A DPIA has been conducted under Art. 35.
The DPIA identifies high risks to data subjects' rights and freedoms.
All reasonably available mitigation measures have been applied.
Residual risk remains high despite mitigation efforts.

Required Documentation (Art. 36(3))

The controller must provide:

Respective responsibilities of controller, joint controllers, and processors
Purposes and means of the intended processing
Measures and safeguards to protect data subjects
DPO contact details
The completed DPIA under Art. 35
Any other information the authority requests

Timeline

Phase	Duration	Reference
Authority initial response period	8 weeks from receipt	Art. 36(2)
Extension for complex cases	Up to 6 additional weeks	Art. 36(2)
Maximum total period	14 weeks	Art. 36(2)
Processing commencement	Only after advice received or deadline expired	Art. 36(2)

Consultation Process

Step 1: Pre-Submission Preparation

Verify the DPIA is complete with all Art. 35(7) mandatory elements.
Confirm all available mitigation measures have been documented.
Document why residual risk remains high despite mitigation.
Obtain DPO review and sign-off.
Prepare the submission package with all Art. 36(3) documents.

Step 2: Submission

Submit to the competent supervisory authority (lead authority for cross-border processing under Art. 56).
Use the authority's prescribed format if available.
Retain proof of submission with date stamp.

Step 3: Authority Engagement

Respond promptly to requests for additional information.
Track the 8-week deadline and any extension notifications.
Do not commence processing until advice is received or deadline expires.

Step 4: Outcome Handling

Outcome	Action
Authority approves	Proceed subject to any conditions specified
Authority provides recommendations	Implement recommendations, document compliance
Authority objects or restricts	Do not proceed; revise processing design; resubmit if appropriate
No response within deadline	Document that consultation was submitted and deadline expired; may proceed

Member State Variations

Art. 36(5) permits Member State law to require prior consultation for processing in the public interest, including social protection and public health. Controllers must check local implementing legislation.

Common Reasons for Triggering Prior Consultation

Large-scale biometric identification systems
Systematic public area surveillance with facial recognition
Processing of genetic data at population scale
Automated decision-making with legal or similarly significant effects where mitigation is insufficient
Novel technology processing with unpredictable risk profiles