gdpr-prior-consultation

Conducting Prior Consultation Process

Overview

Article 36 requires controllers to consult the supervisory authority prior to processing where a DPIA under Art. 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and the controller is unable to sufficiently mitigate that risk.

When Prior Consultation Is Required

Prior consultation is mandatory when all of the following conditions are met:

1. A DPIA has been conducted under Art. 35.
2. The DPIA identifies high risks to data subjects' rights and freedoms.
3. All reasonably available mitigation measures have been applied.
4. Residual risk remains high despite mitigation efforts.

Required Documentation (Art. 36(3))

The controller must provide:

1. Respective responsibilities of controller, joint controllers, and processors
2. Purposes and means of the intended processing
3. Measures and safeguards to protect data subjects
4. DPO contact details
5. The completed DPIA under Art. 35
6. Any other information the authority requests

Timeline

Phase	Duration	Reference
Authority initial response period	8 weeks from receipt	Art. 36(2)
Extension for complex cases	Up to 6 additional weeks	Art. 36(2)
Maximum total period	14 weeks	Art. 36(2)
Processing commencement	Only after advice received or deadline expired	Art. 36(2)

Consultation Process

Step 1: Pre-Submission Preparation

1. Verify the DPIA is complete with all Art. 35(7) mandatory elements.
2. Confirm all available mitigation measures have been documented.
3. Document why residual risk remains high despite mitigation.
4. Obtain DPO review and sign-off.
5. Prepare the submission package with all Art. 36(3) documents.

Step 2: Submission

1. Submit to the competent supervisory authority (lead authority for cross-border processing under Art. 56).
2. Use the authority's prescribed format if available.
3. Retain proof of submission with date stamp.

Step 3: Authority Engagement

1. Respond promptly to requests for additional information.
2. Track the 8-week deadline and any extension notifications.
3. Do not commence processing until advice is received or deadline expires.

Step 4: Outcome Handling

Outcome	Action
Authority approves	Proceed subject to any conditions specified
Authority provides recommendations	Implement recommendations, document compliance
Authority objects or restricts	Do not proceed; revise processing design; resubmit if appropriate
No response within deadline	Document that consultation was submitted and deadline expired; may proceed

Member State Variations

Art. 36(5) permits Member State law to require prior consultation for processing in the public interest, including social protection and public health. Controllers must check local implementing legislation.

Common Reasons for Triggering Prior Consultation

• Large-scale biometric identification systems
• Systematic public area surveillance with facial recognition
• Processing of genetic data at population scale
• Automated decision-making with legal or similarly significant effects where mitigation is insufficient
• Novel technology processing with unpredictable risk profiles