Article 36 GDPR
Prior consultation
1. If the data protection impact assessment referred to in Article 35 indicates that the processing would result in a high risk unless the controller takes measures to mitigate that risk, the controller shall consult with the supervisory authority before commencing the processing.
2. If the supervisory authority considers that the intended processing referred to in paragraph 1 would constitute a breach of this Regulation—in particular where the controller has failed to adequately identify or mitigate the risks — the supervisory authority shall, within eight weeks of receiving the request for consultation, provide the controller, and where applicable also the processor, with written recommendations and may exercise any of its powers referred to in Article 58. That period may be extended by six weeks due to the complexity of the intended processing. The supervisory authority shall inform the controller, and where applicable also the processor, of such an extension within one month of receiving the request for consultation, stating the reasons for the delay. The running of these time limits may be suspended until the supervisory authority has received all the information it has requested for the purposes of the consultation.
3. When consulting the supervisory authority in accordance with paragraph 1, the administrator shall submit to it:
(a) where applicable the relevant obligations of the controller, co-controllers and processors involved in the processing, in particular in the case of processing within a group of undertakings;
(b) the purposes and methods of the intended processing;
(c) measures and safeguards to protect the rights and freedoms of data subjects in accordance with this Regulation;
(d) where applicable contact details of the data protection officer;
(e) the data protection impact assessment referred to in Article 35; and
(f) any other information requested by the supervisory authority.
4. Member states shall consult the supervisory authority when preparing a draft legal acct adopted by the national parliament or an implementing act based on such a legal acct, if the draft concerns processing.
5. Notwithstanding paragraph 1, Member State law may require controllers to consult with and obtain prior consent from the supervisory authority for the processing of personal data by the controller for the purpose of performing a task carried out by the controller in the public interest, including processing in connection with social protection and public health.
