🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 36 of the GDPR: Prior consultation of the supervisory authority

Home News Article 36 of the GDPR: Prior consultation of the supervisory authority

Article 36 of the GDPR requires the data controller to consult the supervisory authority (e.g. CNIL) before proceeding with treatment, when impact assessment (AIPD) reveals high unmitigated risk for the rights and freedoms of data subjects.

Article 36 of the GDPR explained

Where the measures provided for in the AIPD are not sufficient to mitigate a high risk, the controller must:

  • Consult the supervisory authority before implementing the treatment ;
  • Provide them with all useful information (impact analysis, planned measures, DPO contact details, etc.);
  • Wait for possible recommendations, or even a ban on treatment in certain serious cases.

The authority has 8 weeks to make a decision (extendable by 6 weeks).

Why is this article important for your GDPR compliance?

It allows d’anticipate major risks related to data processing and to avoid future violations or sanctions. The consultation ensures a strengthened legal framework and secures innovative or sensitive treatments.

How to comply with Article 36 of the GDPR?

  • Systematically integrate a risk analysis before any sensitive treatment project;
  • If the high risk cannot be reduced, consult the CNIL before implementation;
  • Prepare a complete and documented file to send to the authority;
  • Follow the recommendations and keep the exchanges for your GDPR documentation.

Examples of application of Article 36 of the GDPR

  • A start-up developing a facial recognition tool fails to mitigate certain risks: it consults the CNIL;
  • A company plans to automatically collect sensitive biometric data: prior consultation required;
  • A public authority sets up a massive cross-referencing of social files without sufficient guarantees: the authority is requested.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject