Article 36 of the GDPR states that the Controller shall consult the supervisory authority prior to processing where it is indicated by the data procession impact assessment u/art.35 that the processing would result in high risk in the absence of measures taken by the controller to mitigate the risk.
When superior authority opined that the intended processing would infringe the regulations contained in GDPR, specifically in cases of where the controller has sufficiently identified or mitigated the risk, the supervisory authority must within 8 weeks of receipt of the request for consultation, provide written advice to the controller and processor. However, this time may be extended by six weeks, considering the complexity of the intended processing; such extension must be communicated to the intended controller or processor within one month of the receipt of the request for consultation together with the reasons for the delay.
While consulting the supervisory authority, the controller shall provide the supervisory authority with the following details:-
- Where applicable, the respective responsibilities of the controller, joint controller and processors involved in the processing, in particular for processing within a group of undertakings;
- The purposes and means of the intended processing;
- The measures and safeguards provided to protect the rights and freedom of data subjects pursuant to the regulation;
- Where applicable, the contact details of the data protection officer;
- The data protection impact assessment provided u/art.35 and;
- Any other information requested by the supervisory authority.
It further states that the member state shall consult the supervisory authority during the preparation of a proposal for a legislative measure adopted by a national parliament, or of a regulatory measures based upon such legislative measure, which relates to processing.
Picture Credit- https://www.superoffice.com