---
name: gdpr-prior-consultation
title: Conducting Prior Consultation Process
description: 'Guides the GDPR Article 36 prior consultation process with supervisory authorities when a DPIA indicates high residual risk. Covers timeline requirements, documentation, and outcome handling. Activate when DPIA residual risk remains high or when preparing regulatory submissions. Keywords: prior consultation, Article 36, DPIA, high risk, supervisory authority.'
author: mukul975
author_url: https://github.com/mukul975/Privacy-Data-Protection-Skills/tree/main/skills/privacy/gdpr-prior-consultation
license: Apache-2.0
version: 0.1.0
execution_mode: open
jurisdiction: general
practice: data-protection
language: en
---

# Conducting Prior Consultation Process

## Overview

Article 36 requires controllers to consult the supervisory authority prior to processing where a DPIA under Art. 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and the controller is unable to sufficiently mitigate that risk.

## When Prior Consultation Is Required

Prior consultation is mandatory when all of the following conditions are met:
1. A DPIA has been conducted under Art. 35.
2. The DPIA identifies high risks to data subjects' rights and freedoms.
3. All reasonably available mitigation measures have been applied.
4. Residual risk remains high despite mitigation efforts.

## Required Documentation (Art. 36(3))

The controller must provide:
1. Respective responsibilities of controller, joint controllers, and processors
2. Purposes and means of the intended processing
3. Measures and safeguards to protect data subjects
4. DPO contact details
5. The completed DPIA under Art. 35
6. Any other information the authority requests

## Timeline

| Phase | Duration | Reference |
|-------|----------|-----------|
| Authority initial response period | 8 weeks from receipt | Art. 36(2) |
| Extension for complex cases | Up to 6 additional weeks | Art. 36(2) |
| Maximum total period | 14 weeks | Art. 36(2) |
| Processing commencement | Only after advice received or deadline expired | Art. 36(2) |

## Consultation Process

### Step 1: Pre-Submission Preparation
1. Verify the DPIA is complete with all Art. 35(7) mandatory elements.
2. Confirm all available mitigation measures have been documented.
3. Document why residual risk remains high despite mitigation.
4. Obtain DPO review and sign-off.
5. Prepare the submission package with all Art. 36(3) documents.

### Step 2: Submission
1. Submit to the competent supervisory authority (lead authority for cross-border processing under Art. 56).
2. Use the authority's prescribed format if available.
3. Retain proof of submission with date stamp.

### Step 3: Authority Engagement
1. Respond promptly to requests for additional information.
2. Track the 8-week deadline and any extension notifications.
3. Do not commence processing until advice is received or deadline expires.

### Step 4: Outcome Handling

| Outcome | Action |
|---------|--------|
| Authority approves | Proceed subject to any conditions specified |
| Authority provides recommendations | Implement recommendations, document compliance |
| Authority objects or restricts | Do not proceed; revise processing design; resubmit if appropriate |
| No response within deadline | Document that consultation was submitted and deadline expired; may proceed |

## Member State Variations

Art. 36(5) permits Member State law to require prior consultation for processing in the public interest, including social protection and public health. Controllers must check local implementing legislation.

## Common Reasons for Triggering Prior Consultation

- Large-scale biometric identification systems
- Systematic public area surveillance with facial recognition
- Processing of genetic data at population scale
- Automated decision-making with legal or similarly significant effects where mitigation is insufficient
- Novel technology processing with unpredictable risk profiles
