Article 36

Prior consultation

1. The controller shall consult the Commissioner prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

2. Where the Commissioner is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the Commissioner shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The Commissioner shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the Commissioner has obtained information the Commissioner has requested for the purposes of the consultation.

3. When consulting the Commissioner pursuant to paragraph 1, the controller shall provide the Commissioner with:

  • (a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • (b) the purposes and means of the intended processing;
  • (c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
  • (d) where applicable, the contact details of the data protection officer;
  • (e) the data protection impact assessment provided for in Article 35; and
  • (f) any other information requested by the Commissioner .

4. The relevant authority must consult the Commissioner during the preparation of a proposal for a legislative measure to be adopted by Parliament, the National Assembly for Wales, the Scottish Parliament or the Northern Ireland Assembly, or of a regulatory measure based on such a legislative measure, which relates to processing.

4A. In paragraph 4, “the relevant authority” means-

  • (a) in relation to a legislative measure adopted by Parliament, or a regulatory measure based on such a legislative measure, the Secretary of State;
  • (b) in relation to a legislative measure adopted by the National Assembly for Wales, or a regulatory measure based on such a legislative measure, the Welsh Ministers;
  • (c) in relation to a legislative measure adopted by the Scottish Parliament, or a regulatory measure based on such a legislative measure, the Scottish Ministers;
  • (d) in relation to a legislative measure adopted by the Northern Ireland Assembly, or a regulatory measure based on such a legislative measure, the relevant Northern Ireland Department.

5. [THIS ARTICLE IS INTENTIONALLY LEFT BLANK IN THE UK GDPR]

Relevant recitals

(94), (95), (96)

Important note about UK GDPR recitals

Recitals to the GDPR are saved into UK domestic law and apply to the interpretation of the UK GDPR. However, they have not been amended upon saving. This may mean that some recitals are no longer relevant if the corresponding provisions have not been retained in UK domestic law. (Tell me more.)

Previous Article
Article 35
Next Article
Article 37
Menu