Article 36 GDPR (Prior Consultation)

Article 36 of GDPR: Prior consultation with the supervisory authority 

When a company performs a data protection impact assessment and the result of that assessment shows that the intended data processing activities may result in a high risk to data subjects, then the data controller must consult with the supervisory authority prior to processing any data.

Obligation to consult with the supervisory authority (Article 36(1) GDPR)

If the following conditions apply, a data controller has an obligation to consult with the supervisory authorities prior to processing any data:

  1. A data protection impact assessment was done
  2. The assessment shows a high level of risk to data subjects in the absence of any mitigation plans taken by the company

Supervisory authority issuing advice (Article 36(2) GDPR)

When the supervisory authority considers the intended data processing activity on which a DPIA was performed and considers that the processing may infringe GDPR or the company has not shown sufficient mitigation of risk, it will issue its advice in writing within a period of 8 weeks.

Depending on the complexity of the data processing activities, the supervisory authority can extend the 8 weeks by another 6 weeks.

The supervisory authority may also suspend its delay to issue its advice should it require additional information from the data controller. 

The timeline to respond will commence either from the request of the consultation or from the moment the supervisory authority has all the information it needs to render its advice.

Content of the data controller’s consultation request (Article 36(3) GDPR)

If a data controller is in a situation requiring it to consult with the supervisory authority, it must make sure that its consultation request includes the following information:

  1. Data controller’s responsibilities, that of joint data controllers, data processors along with the manner the data controller handles the processing within its group of undertakings (Article 36(3)(a) GDPR)
  2. The purpose of the data processing activities (Article 36(3)(b) GDPR)
  3. The way the organization will mitigate risk to data subjects (Article 36(3)(c) GDPR)
  4. Contact details of its data protection officer (Article 36(3)(d) GDPR)
  5. The outcome of the data protection impact assessment (Article 36(3)(e) GDPR)
  6. Any other information as may be required by the supervisory authority (Article 36(3)(f) GDPR)

European Union member countries to consult with the supervisory authority (Article 36(4) GDPR)

Each European Union member country should consult with the supervisory authority during the preparation of a draft legislative proposal or a regulatory measure relating to data processing.

Europen Union member countries to require prior consultation (Article 36(5) GDPR)

GDPR authorizes each Europen Union member country to require that data controllers consult with their supervisory authority and obtain the authorization to process personal data relating to the interest of the public particularly with respect to the social protection and public health.

Recitals applicable to Article 36 of GDPR

Relevant Recitals: 94, 95, 96

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 36 or relevant recitals


GDPR Text: Article 36 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)