Prior Consultation

GDPR Article 36 prior consultation is a mandatory procedure requiring an organization to consult its supervisory authority before starting a processing activity. This is triggered when a Data Protection Impact Assessment reveals that the processing will result in a high risk to individuals if no mitigating measures are taken. It serves as a regulatory safeguard for complex or highly sensitive data operations.

You must consult the supervisory authority under GDPR when your organization conducts a DPIA and identifies a high risk that cannot be sufficiently mitigated by reasonable means. If the residual high risk remains unacceptable in terms of available technology and implementation costs, the prior consultation must occur before any processing begins.

Residual high risk is determined by evaluating the severity and likelihood of harm to data subjects after all proposed security and privacy mitigations have been applied. If the DPIA indicates that the remaining risk level still poses a significant threat to the rights and freedoms of individuals, you face a GDPR DPIA residual high risk what next scenario. At this point, the organization must initiate the Article 36 consultation process.

A prior consultation submission must include the responsibilities of the controller and processors, the purposes and means of the intended processing, and the measures and safeguards provided to protect data subjects. When preparing what to include in a prior consultation submission GDPR, organizations must also supply the contact details of the Data Protection Officer and the complete Data Protection Impact Assessment.

The supervisory authority must provide written advice within up to eight weeks of receiving the prior consultation request. This GDPR Article 36 consultation timeline can be extended by an additional six weeks depending on the complexity of the intended processing. The timeline may also be suspended if the authority needs to request additional information from the organization.

No, organizations cannot proceed with processing without prior consultation GDPR completion. You must wait for the supervisory authority to review the DPIA high risk consultation and provide written advice or prohibit the processing entirely. Starting beforehand violates Article 36 and exposes the organization to significant administrative fines.

The prior consultation vs DPIA GDPR difference lies in their sequence and purpose. A DPIA is an internal risk assessment conducted by the organization to identify and mitigate privacy risks associated with a new processing activity. Prior consultation is the subsequent regulatory step required only if the DPIA concludes that those risks cannot be adequately mitigated by the organization.

The data controller is ultimately responsible for initiating the consultation and submitting the request to the supervisory authority. However, the Data Protection Officer must be actively involved and consulted during the process, and their contact information must be provided to the regulator. Processors assist the controller in ensuring compliance with these obligations where necessary.

Failing to conduct a required prior consultation under GDPR Article 36 is a direct violation of the regulation. Organizations may face severe penalties, including administrative fines of up to 10,000,000 EUR or 2 percent of the total worldwide annual turnover of the preceding financial year. The supervisory authority may also issue an official order to ban or suspend the processing activity entirely.

When preparing the submission, organizations must thoroughly document all planned technical and organizational measures within the DPIA. This documentation should detail how the safeguards aim to protect the rights and freedoms of data subjects. Clear evidence of why the risk cannot be further mitigated despite these measures is crucial for the supervisory authority's review.

Article 36 requires you to pause processing and assemble a defensible submission package when a DPIA shows residual high risk. Tools like WatchDog Security's Compliance Center can help track the control obligation, map it to DPIA evidence, and maintain an auditable workflow (owners, approvals, timestamps) showing when consultation was triggered and what was submitted.

The hard part is proving why residual risk remained high and that processing was paused until regulator advice was received. Tools like WatchDog Security's Risk Register can link the DPIA findings to scored risks, treatment decisions, and escalation records, creating a clear audit trail of mitigations attempted and the formal trigger for prior consultation.