GDPR Article 36: Prior Consultation with Supervisory Authority

In one sentence. GDPR Article 36 requires the controller to consult the supervisory authority prior to processing when a Data Protection Impact Assessment (DPIA) under Article 35 indicates that processing would result in a high residual risk despite the controller’s planned mitigation measures. The supervisory authority must respond within 8 weeks (extendable by 6 weeks for complex matters), and the controller cannot start the processing until the consultation is complete. Failure to consult when required is a stand-alone sanction.

Article 36 is the GDPR’s escape valve for high-risk processing the controller cannot adequately mitigate. It puts the supervisory authority in a position to either greenlight, restrict, or prohibit the planned processing. The mechanism is used sparingly — most DPIAs end with acceptable residual risk — but for AI systems, mass surveillance, novel biometric processing, and major health data deployments, Article 36 consultation is becoming more common.

For DPIA methodology: Article 35 RGPD AIPD, modèle AIPD RGPD. For automated decisions: Article 22 automated decision-making.

Key takeaways

• Article 36 consultation required when DPIA shows high residual risk despite mitigation.
• Supervisory authority must respond within 8 weeks (extendable by 6 weeks).
• Processing cannot start until consultation is complete.
• The authority can prohibit the processing, impose conditions, or accept it.
• Member State law may require consultation in additional cases (Article 36(5)).

1. When is Article 36 triggered?

Article 36(1): the controller must consult the supervisory authority prior to processing where a DPIA under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Translation: if your DPIA shows that even after your mitigation measures, the risk to data subjects remains high, you must consult.

The threshold is residual risk, not initial risk. A DPIA might identify a high initial risk that the controller’s measures reduce to acceptable — in that case, Article 36 doesn’t apply.

2. The consultation request — what to submit

Article 36(3) lists what the controller must provide:

• Roles and responsibilities of controller, joint controllers, processors
• Purposes and means of the intended processing
• Measures and safeguards to protect data subject rights
• DPO contact details (where applicable)
• The DPIA itself
• Any other information the supervisory authority requests

Most supervisory authorities have a dedicated portal for Article 36 consultations:

• France (CNIL): dedicated form, online submission
• Germany (BfDI + Landes): written submission, sometimes preliminary meeting
• Ireland (DPC): structured submission process
• Italy (Garante): formal submission with technical annex

3. The 8-week deadline

The supervisory authority must respond within 8 weeks of receipt. They can:

• Provide written advice on the processing
• Identify deficiencies the controller must address
• Exercise powers under Article 58 (warning, reprimand, order to comply, prohibition)
• Extend the deadline by 6 weeks for complex matters (with reasons)
• Stop the consultation timeline if they request additional information

The controller cannot begin processing until the consultation is complete.

4. Possible outcomes

Authority approves (or doesn’t object)

The controller proceeds with the planned processing as described. The DPIA + consultation documentation form the compliance record.

Authority approves with conditions

The controller must implement additional measures specified by the authority before starting. Common additions: enhanced data subject information, specific opt-out mechanisms, additional security controls.

Authority prohibits the processing

The authority exercises its Article 58(2)(f) power to ban the processing. The controller must redesign or abandon the project. Rare in practice but powerful.

Authority remains silent past 8+6 weeks

If no response by the extended deadline, the controller may proceed — but should document the absence of objection.

5. Typical cases requiring Article 36

• Mass biometric surveillance (facial recognition in public spaces)
• AI systems for high-stakes decisions (welfare, criminal justice, healthcare)
• Novel processing of children’s data at scale
• Cross-border data transfers with insufficient safeguards
• Health data warehouses for research with re-identification risk
• Worker monitoring with continuous surveillance
• Public-private data sharing without clear safeguards

The CNIL has published guidance listing scenarios where consultation is recommended even if not strictly mandatory.

6. Member State extensions (Article 36(5))

Article 36(5) allows Member States to require prior consultation or prior authorisation in additional cases:

• Public interest tasks
• Social security
• Tasks in the public interest

In France, certain health research processing requires prior CNIL authorisation under specific Loi Informatique et Libertés provisions. In Germany, public sector processing may have additional state-level consultation requirements. In Spain, AEPD has authorization mechanisms for international transfers in specific cases.

7. Article 36 vs Article 35 vs Article 22

These three Articles work together:

• Article 35: DPIA required for high-risk processing
• Article 36: prior consultation if DPIA shows high residual risk
• Article 22: substantive restrictions on automated decision-making

For an AI system making welfare decisions:

• Article 35: DPIA mandatory
• Article 22: human intervention required
• Article 36: consultation required if residual risk high despite Article 22 safeguards

8. Sanctions for not consulting

Article 83(4)(a) — up to €10M or 2% of global annual turnover.

In practice, Article 36 violations rarely appear alone — they typically combine with Article 35 (DPIA quality) and Article 22 (automated decisions). But the failure to consult when required is a stand-alone aggravating factor.

Notable cases:

• Clearview AI (multiple EU DPAs) — cited Article 36 non-consultation among other violations
• Various automated decision systems sanctioned partly for lack of prior consultation

9. The consultation as risk-reduction tool

Consulting the supervisory authority before launching a high-risk processing has strategic value:

• Regulatory certainty — formal acknowledgment that the planned approach is acceptable
• Liability shield — much harder to be sanctioned for processing the authority approved
• Refinement opportunity — the authority’s input often improves the design
• Public signaling — demonstrates good faith and accountability

For projects with public visibility (AI deployment, new product line), the consultation can be turned into a competitive advantage.

10. Practical workflow

1. DPIA completed under Article 35
2. Residual risk assessment — is it still “high” after mitigation?
3. Decision: consult or not — document the analysis
4. If consulting: prepare submission package (DPIA + roles + purposes + measures)
5. Submit to supervisory authority via dedicated portal
6. Acknowledge timeline: 8 weeks (+ 6 weeks possible extension)
7. Respond to authority requests for additional information
8. Receive response — implement any conditions
9. Begin processing only after consultation complete
10. Maintain documentation of the entire process

11. Tooling

Legiscope includes an Article 36 consultation workflow: triggers consultation requirement when DPIA shows high residual risk, generates the consultation package, tracks the supervisory authority’s response timeline.

For related deep-dives: Article 35 RGPD AIPD, modèle AIPD RGPD, Article 22 automated decisions, Article 24 controller responsibility.

Conclusion

Article 36 is the GDPR’s safety valve for high-risk processing that the controller cannot adequately mitigate. Using it correctly transforms a regulatory risk into a regulatory shield. Skipping it when required exposes the controller to sanctions stacking on top of any underlying processing violations.

FAQ

When must I consult the supervisory authority under Article 36?

When your DPIA under Article 35 shows that residual risk is high despite your planned mitigation measures. The threshold is residual risk, not initial risk.

How long does the consultation take?

The supervisory authority must respond within 8 weeks, extendable by 6 weeks for complex matters. Processing cannot begin until the consultation is complete.

Can the authority prohibit my processing?

Yes. Under Article 58(2)(f), the supervisory authority can ban the processing. They can also approve with conditions or simply provide written advice.

What if the authority doesn’t respond?

If no response by the extended deadline (14 weeks total), the controller may proceed — but should document the absence of objection in the compliance record.

Is Article 36 the same as authorization under Member State law?

No. Article 36 is the EU-level consultation. Some Member States (France, Spain) have additional authorisation mechanisms for specific processing (health research, certain transfers) that require separate procedures.