Prior Consultation (Article 36)
Prior consultation with the supervisory authority
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Article 36 GDPR mandates prior consultation where a DPIA indicates a high residual risk. The supervisory authority has 8 weeks to issue a recommendation (Article 36 (2)), extendable to 14 weeks.
What is prior consultation (Article 36)?
Mandatory content of the consultation:
- Description of the planned processing
- DPIA report
- Planned protective measures
- Rationale for the high residual risk
Practical example
An insurer plans an AI-based life-insurance risk assessment. The DPIA reveals a high residual risk. BfDI consultation: 12 weeks, approved subject to conditions.
Frequently asked questions
What does it cost?
No consultation fee — internal effort EUR 5,000 to 15,000.
Fine for omitting consultation?
Article 83 (4) (a) — up to EUR 10 million / 2%.