Article 36

Prior consultation

1. Where a data protection impact assessment under Article 35 indicates that the processing would present a high risk if the controller does not take measures to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.

2. Where the supervisory authority considers that the intended processing referred to in paragraph 1 would be in breach of this Regulation, in particular where the controller has not sufficiently identified or mitigated the risk, the supervisory authority shall, within a maximum period of eight weeks from the receipt of the request for consultation, give its opinion in writing to the controller and, where applicable, to the processor, and may exercise all its powers referred to in Article 58. That period may be extended by six weeks, depending on the complexity of the intended processing. Upon such extension, the supervisory authority shall notify the controller and, where applicable, the processor, within one month of receipt of the request for consultation, inter alia, of the reasons for the delay. Those time limits may be suspended until the supervisory authority has obtained information requested for the purpose of the consultation.

3. When the controller consults the supervisory authority under paragraph 1, it shall provide it with information on:

4. where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for intra-group processing;

5. The purposes and means of the intended processing;

6. the measures and safeguards provided to protect the rights and freedoms of data subjects under this regulation;

7. if applicable, the contact details of the data protection officer;

8. the data protection impact assessment provided for in Article 35; and

9. any other information requested by the supervisory authority.