Art.36 GDPR

GDPR Art.36: Prior Consultation

What This Control Requires

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

In Plain Language

Sometimes a DPIA reveals risks you simply cannot mitigate on your own. When that happens - when residual risk remains high despite your best efforts - you must consult the supervisory authority before you start processing. This is your safety valve, not a rubber stamp.

You need to hand over a comprehensive package: the DPIA itself, the respective responsibilities of controllers and processors, the purposes and means of processing, the safeguards you have already put in place, your DPO's contact details, and whatever else the authority asks for. Be thorough - a weak submission just slows things down.

The supervisory authority has up to eight weeks to respond (extendable by six weeks for complex cases). During this window they can advise, warn, or even ban the proposed processing. Do not start processing until the consultation is complete and you have addressed any recommendations they make.

How to Implement

Build prior consultation triggers into your DPIA process. At the end of every DPIA, include a step that explicitly evaluates whether residual risk remains high after all planned mitigations. If it does, route the DPIA into the prior consultation pathway. Define what "high residual risk" means in your context and apply that threshold consistently.

Put together a consultation submission template. Include the completed DPIA, a clear explanation of which processing creates the high risk, the mitigation measures you have already implemented or planned, why those measures are not sufficient to bring risk down, respective controller and processor responsibilities, the DPO's opinion, and any supporting documentation. Make it clear, well-structured, and easy for a regulator to follow.

Get to know your lead supervisory authority's process before you ever need it. Understand their submission format, preferred channels, typical timelines, and any specific guidance they have published. Building that familiarity in advance will save significant time when a real consultation arises.

Factor the consultation timeline into project planning. The authority has eight weeks, potentially stretching to fourteen. Build this into your project schedule so stakeholders understand that processing cannot begin until the consultation concludes. Surprises here can derail product launches.

When the response arrives, document everything and act on it. Implement any recommended changes, update the DPIA, and if conditions are imposed, confirm they are fully in place before processing begins. Keep a complete record of the entire consultation for accountability.

Evidence Your Auditor Will Request

DPIA process documentation showing prior consultation trigger criteria
Records of prior consultation submissions to supervisory authorities
Supervisory authority responses and advice received
Evidence of implementing supervisory authority recommendations
Updated DPIAs reflecting outcomes of prior consultation

Common Mistakes

Processing commenced despite high residual risk without consulting the supervisory authority
Prior consultation triggered but not pursued due to concern about regulatory scrutiny
Incomplete or poorly prepared consultation submissions leading to delays
Failing to implement supervisory authority recommendations following consultation
No integration of prior consultation triggers into the DPIA process

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related

Frequently Asked Questions

How do we know if residual risk is 'high' enough to require prior consultation?

If you have thrown every reasonable safeguard at the problem and the DPIA still concludes that individuals face a high risk, you need to consult. It comes down to the severity of potential harm, the likelihood it will actually happen, and how effective your safeguards truly are. Your DPO should be central to making this call.

Can the supervisory authority block our processing?

Yes, they absolutely can. Under Article 58(2), they have the power to impose temporary or permanent bans on processing. After a prior consultation, they may suggest changes, attach conditions, or prohibit the processing outright if they believe it would breach the GDPR and the risks cannot be adequately managed.

Is prior consultation needed for every DPIA?

Not at all. It is only triggered when the DPIA identifies residual high risk that you cannot bring down to an acceptable level. If your safeguards are sufficient and the DPIA concludes that risks are properly addressed, you are free to proceed. The majority of DPIAs should end with risks mitigated to a manageable level.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment