The General Data Protection Regulation (GDPR) places strong emphasis on preventing privacy risks before they materialize, rather than merely reacting after a data breach or violation occurs. One of the most powerful preventive mechanisms embedded in the GDPR is Article 36 — Prior Consultation.
Article 36 acts as a safety valve within the GDPR framework. It requires organizations to consult with a data protection supervisory authority before launching certain high-risk data processing activities, when those risks cannot be sufficiently mitigated on their own.
What Is GDPR Article 36?
GDPR Article 36 requires data controllers to consult the supervisory authority before processing personal data if a Data Protection Impact Assessment (DPIA) indicates that the processing would result in a high risk to individuals’ rights and freedoms, and the controller cannot reduce that risk through reasonable measures.
In simple terms:
If your organization plans a data processing activity that is very risky, and you cannot adequately mitigate those risks, you must ask the data protection authority for guidance before you proceed.
This requirement reinforces GDPR’s core principle of accountability and ensures that regulators can intervene early—before harm occurs.
The Relationship Between Article 35 and Article 36
To fully understand Article 36, it must be viewed together with Article 35 (Data Protection Impact Assessments).
Step-by-Step Relationship
-
Article 35 requires a DPIA when processing is likely to result in high risk
-
The organization conducts the DPIA
-
If residual high risk remains, despite safeguards
-
Article 36 requires prior consultation
In other words, Article 36 is triggered only after a DPIA confirms that serious risks still exist.
What Is “Residual High Risk”?
A residual high risk is a risk that remains after all reasonable technical and organizational safeguards have been applied.
Examples include:
-
Irreversible harm if data is misused
-
Large-scale surveillance
-
Automated decisions with legal effects
-
Processing of sensitive data on a massive scale
-
Use of novel or untested technologies
If these risks cannot be reduced to an acceptable level, Article 36 applies.
When Is Prior Consultation Mandatory?
Article 36 applies when all of the following conditions are met:
-
A DPIA is legally required
-
The DPIA identifies high risk
-
The organization cannot sufficiently mitigate that risk
-
The planned processing has not yet begun
Consultation is not optional in such cases—it is a legal obligation.
What Information Must Be Provided During Prior Consultation?
When consulting a supervisory authority under Article 36, organizations must submit detailed documentation, including:
1. Description of Processing Operations
-
Nature, scope, and purposes
-
Categories of personal data
-
Categories of data subjects
2. DPIA Results
-
Identified risks
-
Risk severity and likelihood
-
Reasons mitigation is insufficient
3. Safeguards and Measures
-
Security controls
-
Access limitations
-
Data minimization techniques
-
Retention policies
4. Contact Details
-
Data Protection Officer (DPO)
-
Controller or processor representatives
5. Any Other Requested Information
Supervisory authorities may request additional clarifications or documentation.
Role of the Supervisory Authority
Once consulted, the supervisory authority may:
-
Provide written advice
-
Recommend additional safeguards
-
Request modifications to processing
-
Impose temporary limitations
-
Prohibit processing altogether (in extreme cases)
Authorities typically have up to eight weeks to respond, extendable by six weeks for complex cases.
Can Processing Start During Consultation?
No.
Processing must not begin until:
-
The supervisory authority provides advice, or
-
The consultation period expires without objection (depending on jurisdiction)
Starting processing prematurely may result in significant GDPR penalties.
Consequences of Ignoring Article 36
Failure to comply with Article 36 can lead to:
-
Administrative fines (up to €10 million or 2% of global turnover)
-
Processing bans
-
Mandatory corrective actions
-
Reputational damage
-
Increased liability in civil claims
Supervisory authorities treat violations of Article 36 seriously because they undermine preventive data protection.
How Article 36 Supports GDPR Principles
Article 36 reinforces multiple GDPR principles, including:
-
Privacy by design and by default
-
Risk-based approach
-
Accountability
-
Transparency
-
Proportionality
Rather than discouraging innovation, Article 36 ensures that high-risk innovation proceeds responsibly.
5 Practical Examples of GDPR Article 36 in Action
Example 1: AI-Driven Credit Scoring System
A fintech company plans to deploy an AI-based credit scoring platform using:
-
Financial history
-
Behavioral data
-
Alternative data sources (mobile usage, location)
DPIA Outcome
-
High risk of discrimination
-
Limited explainability of decisions
-
Significant legal effects on individuals
Mitigation Attempts
-
Bias testing
-
Partial human oversight
Residual Risk
-
Individuals may be unfairly denied credit with no clear explanation
Article 36 Trigger
The company must consult the supervisory authority before launch.
Example 2: Nationwide Facial Recognition in Public Transport
A public transport authority introduces real-time facial recognition to identify fare evaders.
DPIA Outcome
-
Large-scale biometric processing
-
Continuous surveillance of commuters
Mitigation Attempts
-
Encryption
-
Limited retention
Residual Risk
-
Chilling effect on freedoms
-
Risk of misidentification
Article 36 Trigger
Prior consultation is mandatory due to unavoidable high risk.
Example 3: Health Data Platform for Chronic Disease Monitoring
A healthcare startup launches a platform monitoring:
-
Heart rate
-
Blood glucose
-
Medication adherence
DPIA Outcome
-
Sensitive health data
-
Continuous data collection
Mitigation Attempts
-
Strong encryption
-
Consent mechanisms
Residual Risk
-
Severe harm if data is breached
-
Limited anonymization options
Article 36 Trigger
Consultation required before platform deployment.
Example 4: Employee Productivity Monitoring Software
A multinational company plans to deploy software tracking:
-
Keystrokes
-
Screen activity
-
Time spent on applications
DPIA Outcome
-
Power imbalance
-
Constant employee surveillance
Mitigation Attempts
-
Policy disclosures
-
Limited reporting granularity
Residual Risk
-
Psychological harm
-
Excessive intrusion into privacy
Article 36 Trigger
Supervisory authority consultation is required.
Example 5: Smart City Data Integration Platform
A city government integrates data from:
-
Traffic cameras
-
Smart meters
-
Mobile location sensors
DPIA Outcome
-
Massive data aggregation
-
Indirect identification risks
Mitigation Attempts
-
Pseudonymization
-
Role-based access
Residual Risk
-
Function creep
-
Re-identification potential
Article 36 Trigger
Mandatory prior consultation before public rollout.
Common Misconceptions About Article 36
“Consultation means automatic approval”
False. Authorities may restrict or prohibit processing.
“Small companies don’t need to consult”
False. Obligation depends on risk, not company size.
“Consultation replaces compliance”
False. Controllers remain fully accountable.
Best Practices for Article 36 Compliance
-
Involve the DPO early
-
Conduct thorough DPIAs
-
Document all mitigation attempts
-
Engage authorities transparently
-
Treat consultation as collaboration, not confrontation
Conclusion
GDPR Article 36 is a cornerstone of preventive data protection. It ensures that when data processing poses serious risks that organizations cannot fully control, regulators are consulted before harm occurs.
Rather than being a bureaucratic hurdle, Article 36 offers a structured dialogue between innovation and fundamental rights. Organizations that understand and respect this obligation not only reduce legal risk—but also build trust, credibility, and long-term sustainability in a data-driven world.