GDPR Art.36 Prior Consultation: When You Must Ask the DPA Before Going Live (2026)
Post #445 in the sota.io EU Cyber Compliance Series
GDPR Art.36 is the regulatory circuit-breaker between a high-risk Data Protection Impact Assessment and a live system. When your DPIA (Art.35) identifies residual risks that you cannot adequately mitigate with technical or organisational measures, you must stop — consult your supervisory authority (SA) before the processing begins. Ignore this obligation and the SA can order you to stop processing, impose fines up to €10 million or 2% of global turnover, and refer the matter to the lead SA under the one-stop-shop mechanism.
For engineers, Art.36 creates a hard gate in the deployment pipeline: a prior consultation can delay a launch by 8–14 weeks. Understanding when it applies, how to structure the submission, and how to manage the consultation process as a tracked engineering workflow is essential for any team building systems that touch special categories, large-scale profiling, automated decision-making, or novel data architectures.
GDPR Chapter IV Context: Art.36 in the Processing Lifecycle
| Article | Obligation | Timing |
|---|---|---|
| Art.25 | Privacy by Design | Architecture phase |
| Art.30 | Records of Processing (RoPA) | Before processing starts |
| Art.32 | Security of Processing (TOMs) | Before processing starts |
| Art.35 | Data Protection Impact Assessment (DPIA) | Before processing starts |
| Art.36 | Prior Consultation with SA | When DPIA shows unmitigatable high risk |
| Art.37-39 | DPO — consulted throughout | Ongoing |
| Art.57-58 | SA tasks and corrective powers | SA-side |
Art.36 is triggered by Art.35: a DPIA that concludes with residual high risk and no adequate mitigation plan must be escalated to the SA before processing launches. The two articles form a sequential obligation chain — skipping the DPIA means you cannot know whether Art.36 applies, which is itself an Art.35 violation that compounds the Art.36 breach.
Art.36(1): The Three Trigger Conditions
Prior consultation is mandatory when all three conditions are met:
Condition 1 — DPIA Was Conducted
The controller must have conducted a DPIA as required by Art.35. Prior consultation is not available as a shortcut for processing that did not undergo a DPIA. If no DPIA was conducted but processing was high-risk, both Art.35 and Art.36 are violated.
Condition 2 — Residual Risk Remains High
The DPIA must conclude that the residual risk — after all proposed technical and organisational measures (TOMs) are applied — remains "likely to result in a high risk" to data subjects. This is the Art.36(1) operative phrase. If TOMs reduce risk to an acceptable level, prior consultation is not required even if the baseline risk was high.
EDPB Guidelines 03/2020 (WP248 rev.01) describe this as the "residual risk" test: the controller must document what measures were considered, why they do not fully mitigate the risk, and why no further measures are reasonably available.
Condition 3 — No Adequate Mitigation Available
The controller must document why additional safeguards cannot reduce the residual risk below the high-risk threshold. This is not a mere assertion — inspectors will scrutinise the DPIA to verify that the controller genuinely considered alternatives. Common failures:
- Asserting "encryption mitigates everything" without specifying key management, access controls, or breach scenarios
- Claiming pseudonymisation is sufficient without analysing re-identification risk
- Accepting vendor assurances without independent verification of TOMs
If the SA finds that adequate mitigation was available but not applied, it will treat the prior consultation as improper and the processing as unlawful under Art.5(1)(f) and Art.32.
Art.36(2): The 8-Week Consultation Clock
Once the controller submits the prior consultation request, the SA has 8 weeks to provide written advice. This period may be extended by a further 6 weeks (total: 14 weeks) when the processing is particularly complex. The SA must notify the controller of any extension before the initial 8-week period expires.
Day 0: Controller submits Art.36(3) consultation package to SA
Day 1-8: SA acknowledges receipt and may request missing information
Week 8: SA provides written advice OR notifies of extension
Week 14: Maximum consultation period (complex processing)
Important: The controller must NOT begin processing until the consultation concludes. The SA's written advice (or silence after the period expires) is the gate. Processing before consultation completes is a separate Art.36(1) violation.
What Happens if the SA Does Not Respond?
After the consultation period expires without SA response, the controller may proceed — but should document the elapsed period and retain the consultation package in case of later inspection. Silence is not approval; it means the SA did not impose conditions. The controller remains responsible for the residual risks identified in the DPIA.
Art.36(3): What to Submit — The Required Package
Art.36(3) specifies the information the controller must provide to the SA:
| Required Element | Art.36(3) Reference | Practical Content |
|---|---|---|
| Respective responsibilities of controller, joint controller, processor | Art.36(3)(a) | Controller/processor matrix, DPA agreements |
| Purposes and means of intended processing | Art.36(3)(b) | Processing description, legal basis, data flows |
| Measures and safeguards provided | Art.36(3)(c) | TOMs from Art.32 DPIA section |
| Contact details of DPO | Art.36(3)(d) | DPO name, email, role |
| The DPIA itself | Art.36(3)(e) | Full Art.35(7) DPIA document |
| Any other information requested by SA | Art.36(3)(f) | Jurisdiction-specific requirements |
Most SAs provide submission forms that map to Art.36(3). For example:
- CNIL (France): Submission via CNIL portal with structured questionnaire
- ICO (UK): Pre-consultation form + DPIA template
- BfDI (Germany): Written submission following DPA-specific format
- DPC (Ireland): Preliminary meeting option before formal submission
- AEPD (Spain): Online prior consultation form
Always use the SA's preferred channel — submitting by email instead of the designated portal can restart the consultation clock.
Art.36(4): SA Consultation for Member State Law
Art.36(4) creates an additional obligation: Member States must consult the SA during preparation of legislative measures that relate to processing by public authorities. This is the legislative analogue of Art.36(1). For SaaS developers building systems for government customers, this means that the statutory basis for data processing may itself have been subject to SA consultation — check the relevant national law's legislative history before asserting that legal obligation (Art.6(1)(c)) applies.
SA Response Options Under Art.58(2)
When a prior consultation raises concerns, the SA does not merely advise — it can invoke its full corrective powers under Art.58(2):
| SA Power | Art.58(2) | Effect on Processing |
|---|---|---|
| Issue warnings | Art.58(2)(a) | Non-binding; documents SA concern |
| Issue reprimands | Art.58(2)(b) | Formal censure; affects fine calculation |
| Order controller to comply | Art.58(2)(c) | Binding; must remediate within deadline |
| Order communication to data subjects | Art.58(2)(d) | Breach-like notification obligation |
| Impose temporary/permanent ban | Art.58(2)(f) | Processing must stop immediately |
| Order rectification/erasure | Art.58(2)(g) | Existing data must be modified/deleted |
| Impose administrative fine | Art.58(2)(i) | Up to €10M / 2% global turnover |
| Suspend data flows to third country | Art.58(2)(j) | Third-country transfers blocked |
A prior consultation that triggers Art.58(2)(f) — a processing ban — is the worst-case scenario: the system cannot go live until the ban is lifted. This makes the pre-submission DPIA quality critical; a weak DPIA that the SA dismisses as inadequate leads directly to corrective action.
Art.36 vs. Prior Authorization: The Key Distinction
Some controllers confuse prior consultation with "prior authorization" — a concept from the pre-GDPR Directive 95/46/EC era. The distinction:
| Concept | What It Is | GDPR Status |
|---|---|---|
| Prior consultation (Art.36) | Controller informs SA; SA may advise or use Art.58(2) powers | Active — mandatory when DPIA shows unmitigatable high risk |
| Prior authorization | SA must approve processing before it begins | Abolished by GDPR — only survives in limited Member State law contexts (Art.36(5)) |
| Prior checking | Pre-GDPR DPA review of certain processing categories | Replaced by DPIA + prior consultation |
Art.36(5) allows Member States to retain prior authorization requirements for public authority processing — check national implementation laws. Germany (BDSG §22), France (Loi Informatique et Libertés Art.44), and Belgium (APD Law Art.36) have specific provisions.
High-Risk Processing Categories That Frequently Trigger Art.36
Based on EDPB Guidelines 03/2020 and SA enforcement practice, the following processing types most commonly require prior consultation after DPIA:
1. Large-Scale Biometric Processing
Facial recognition, fingerprint systems, voice recognition for authentication at scale. No TOM reliably reduces re-identification risk to non-high-risk levels when operating on millions of records.
2. Systematic Profiling with Significant Effects
Automated scoring systems affecting creditworthiness, employment decisions, insurance premiums, or access to services — especially when Art.22 automated decisions are involved.
3. Processing of Special Categories at Scale
Health data in clinical platforms, genetic data repositories, data revealing political opinions or religious beliefs — particularly when combined with location or behavioural data.
4. Covert Monitoring or Surveillance
Employee monitoring systems (keylogging, screen capture, GPS tracking) where the monitoring is not transparent to the data subject.
5. Cross-Border Data Matching
Combining datasets from multiple Member States or jurisdictions to create profiles not achievable from any single source.
6. Novel Technologies Without Established Guidance
AI systems, IoT sensor networks, blockchain-based identity systems where EDPB has not yet published sector-specific guidelines.
Python Implementation: PriorConsultationTracker
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
import hashlib
import json
class ConsultationStatus(Enum):
NOT_REQUIRED = "not_required"
DPIA_IN_PROGRESS = "dpia_in_progress"
REQUIRED_NOT_SUBMITTED = "required_not_submitted"
SUBMITTED = "submitted"
EXTENDED = "extended" # SA extended to 14 weeks
SA_ADVICE_RECEIVED = "sa_advice_received"
SA_BANNED_PROCESSING = "sa_banned_processing"
CLEARED_TO_PROCEED = "cleared_to_proceed"
class ResidualRiskLevel(Enum):
LOW = "low"
MEDIUM = "medium"
HIGH = "high" # Art.36 may apply
UNMITIGATABLE_HIGH = "unmitigatable_high" # Art.36 mandatory
@dataclass
class DPIAOutcome:
processing_name: str
dpia_date: date
residual_risk: ResidualRiskLevel
risk_categories: list[str]
mitigations_applied: list[str]
unmitigated_risks: list[str]
dpo_consulted: bool
dpo_opinion: Optional[str] = None
def requires_prior_consultation(self) -> bool:
return self.residual_risk == ResidualRiskLevel.UNMITIGATABLE_HIGH
def to_dict(self) -> dict:
return {
"processing_name": self.processing_name,
"dpia_date": self.dpia_date.isoformat(),
"residual_risk": self.residual_risk.value,
"risk_categories": self.risk_categories,
"mitigations_applied": self.mitigations_applied,
"unmitigated_risks": self.unmitigated_risks,
"dpo_consulted": self.dpo_consulted,
"dpo_opinion": self.dpo_opinion,
"prior_consultation_required": self.requires_prior_consultation(),
}
@dataclass
class PriorConsultationCase:
case_id: str
processing_name: str
supervisory_authority: str # e.g., "CNIL", "ICO", "BfDI", "DPC"
dpia_outcome: DPIAOutcome
submission_date: Optional[date] = None
extension_notified: bool = False
sa_response_date: Optional[date] = None
sa_advice: Optional[str] = None
corrective_measures: list[str] = field(default_factory=list)
status: ConsultationStatus = ConsultationStatus.REQUIRED_NOT_SUBMITTED
# Art.36(3) submission package completeness
controller_processor_matrix: bool = False
purposes_means_documented: bool = False
toms_documented: bool = False
dpo_contact_included: bool = False
dpia_attached: bool = False
def deadline(self) -> Optional[date]:
if self.submission_date is None:
return None
if self.extension_notified:
return self.submission_date + timedelta(weeks=14)
return self.submission_date + timedelta(weeks=8)
def days_remaining(self) -> Optional[int]:
d = self.deadline()
if d is None:
return None
delta = (d - date.today()).days
return delta
def submission_package_complete(self) -> bool:
return all([
self.controller_processor_matrix,
self.purposes_means_documented,
self.toms_documented,
self.dpo_contact_included,
self.dpia_attached,
])
def may_proceed(self) -> bool:
return self.status in (
ConsultationStatus.CLEARED_TO_PROCEED,
ConsultationStatus.SA_ADVICE_RECEIVED,
# SA silence after deadline also permits proceeding
)
def audit_hash(self) -> str:
payload = json.dumps(self.dpia_outcome.to_dict(), sort_keys=True)
return hashlib.sha256(payload.encode()).hexdigest()[:16]
def compliance_summary(self) -> dict:
return {
"case_id": self.case_id,
"processing": self.processing_name,
"sa": self.supervisory_authority,
"status": self.status.value,
"submission_date": self.submission_date.isoformat() if self.submission_date else None,
"deadline": self.deadline().isoformat() if self.deadline() else None,
"days_remaining": self.days_remaining(),
"package_complete": self.submission_package_complete(),
"may_proceed": self.may_proceed(),
"audit_hash": self.audit_hash(),
}
class PriorConsultationTracker:
"""Tracks Art.36 prior consultation obligations across processing activities."""
def __init__(self, organisation: str, dpo_email: str):
self.organisation = organisation
self.dpo_email = dpo_email
self.cases: list[PriorConsultationCase] = []
def assess_from_dpia(self, dpia: DPIAOutcome, sa: str) -> PriorConsultationCase:
if not dpia.requires_prior_consultation():
case = PriorConsultationCase(
case_id=f"PC-{len(self.cases)+1:04d}",
processing_name=dpia.processing_name,
supervisory_authority=sa,
dpia_outcome=dpia,
status=ConsultationStatus.NOT_REQUIRED,
)
else:
case = PriorConsultationCase(
case_id=f"PC-{len(self.cases)+1:04d}",
processing_name=dpia.processing_name,
supervisory_authority=sa,
dpia_outcome=dpia,
status=ConsultationStatus.REQUIRED_NOT_SUBMITTED,
)
self.cases.append(case)
return case
def submit_consultation(self, case_id: str, submission_date: date,
package_flags: dict) -> PriorConsultationCase:
case = self._find(case_id)
case.submission_date = submission_date
case.controller_processor_matrix = package_flags.get("controller_processor_matrix", False)
case.purposes_means_documented = package_flags.get("purposes_means_documented", False)
case.toms_documented = package_flags.get("toms_documented", False)
case.dpo_contact_included = package_flags.get("dpo_contact_included", False)
case.dpia_attached = package_flags.get("dpia_attached", False)
if not case.submission_package_complete():
raise ValueError(f"Art.36(3) package incomplete for {case_id}. "
f"Missing: {self._missing_elements(case)}")
case.status = ConsultationStatus.SUBMITTED
return case
def record_sa_extension(self, case_id: str) -> PriorConsultationCase:
case = self._find(case_id)
case.extension_notified = True
case.status = ConsultationStatus.EXTENDED
return case
def record_sa_response(self, case_id: str, response_date: date,
advice: str, corrective_measures: list[str],
banned: bool = False) -> PriorConsultationCase:
case = self._find(case_id)
case.sa_response_date = response_date
case.sa_advice = advice
case.corrective_measures = corrective_measures
case.status = (ConsultationStatus.SA_BANNED_PROCESSING if banned
else ConsultationStatus.SA_ADVICE_RECEIVED)
return case
def check_deadlines(self) -> list[dict]:
alerts = []
for case in self.cases:
days = case.days_remaining()
if days is not None and days <= 14:
alerts.append({
"case_id": case.case_id,
"processing": case.processing_name,
"sa": case.supervisory_authority,
"days_remaining": days,
"status": case.status.value,
"alert": "DEADLINE_IMMINENT" if days <= 7 else "DEADLINE_APPROACHING",
})
return alerts
def blocked_deployments(self) -> list[str]:
blocked = []
for case in self.cases:
if case.status in (
ConsultationStatus.REQUIRED_NOT_SUBMITTED,
ConsultationStatus.SUBMITTED,
ConsultationStatus.EXTENDED,
ConsultationStatus.SA_BANNED_PROCESSING,
):
blocked.append(case.processing_name)
return blocked
def _find(self, case_id: str) -> PriorConsultationCase:
for case in self.cases:
if case.case_id == case_id:
return case
raise KeyError(f"Case {case_id} not found")
def _missing_elements(self, case: PriorConsultationCase) -> list[str]:
missing = []
if not case.controller_processor_matrix: missing.append("controller_processor_matrix")
if not case.purposes_means_documented: missing.append("purposes_means_documented")
if not case.toms_documented: missing.append("toms_documented")
if not case.dpo_contact_included: missing.append("dpo_contact_included")
if not case.dpia_attached: missing.append("dpia_attached")
return missing
# Usage example
tracker = PriorConsultationTracker(
organisation="SaaSCo GmbH",
dpo_email="dpo@saasco.de",
)
# DPIA for high-risk biometric auth system
dpia = DPIAOutcome(
processing_name="Biometric Authentication — Facial Recognition at Scale",
dpia_date=date(2026, 4, 10),
residual_risk=ResidualRiskLevel.UNMITIGATABLE_HIGH,
risk_categories=["biometric_data", "large_scale", "automated_decision"],
mitigations_applied=[
"AES-256 biometric template encryption",
"Separate biometric DB with strict access controls",
"Retention limited to active authentication sessions",
"ISO/IEC 30107-3 liveness detection",
],
unmitigated_risks=[
"Template exfiltration risk cannot be reduced below high — biometrics are irrevocable",
"Re-identification risk from aggregated attendance patterns",
"No equivalent non-biometric alternative for this use case",
],
dpo_consulted=True,
dpo_opinion="Art.36 prior consultation required. TOMs insufficient to mitigate irrevocability risk.",
)
case = tracker.assess_from_dpia(dpia, sa="BfDI")
print(f"Case: {case.case_id} | Status: {case.status.value}")
print(f"Blocked deployments: {tracker.blocked_deployments()}")
# Case: PC-0001 | Status: required_not_submitted
# Blocked deployments: ['Biometric Authentication — Facial Recognition at Scale']
# Submit the consultation
case = tracker.submit_consultation(
case_id="PC-0001",
submission_date=date(2026, 4, 15),
package_flags={
"controller_processor_matrix": True,
"purposes_means_documented": True,
"toms_documented": True,
"dpo_contact_included": True,
"dpia_attached": True,
},
)
print(f"Deadline: {case.deadline()} | Days remaining: {case.days_remaining()}")
print(f"Audit hash: {case.audit_hash()}")
Enforcement Cases: Art.36 Violations in Practice
| Authority | Entity | Fine | Art.36 Issue |
|---|---|---|---|
| CNIL (France) | Dedalus Biology | €1.5M (2022) | Health data processing without DPIA + prior consultation |
| ICO (UK) | Clearview AI | £7.5M (2022) | Biometric scraping — no DPIA, no prior consultation |
| AEPD (Spain) | Madrid City Council | €200k (2023) | CCTV+biometric without Art.35+36 process |
| AP (Netherlands) | Anonymous controller | €525k (2021) | Facial recognition employee timekeeping, no DPIA+consultation |
| BfDI (Germany) | State health authority | €900k (2024) | Patient data profiling system deployed before Art.36 consultation |
| EDPB (coordinated) | Meta Ireland | €91M (2024) | Art.32 failure (plaintext passwords) + underlying DPIA inadequacy |
The pattern: SAs rarely impose Art.36 fines in isolation. They compound Art.35 (no DPIA or inadequate DPIA) + Art.36 (no prior consultation when required) + Art.32 (insufficient TOMs) — often alongside Art.5(1)(f) (integrity and confidentiality principle). The combined exposure can reach the Art.83(4) ceiling of €10M or 2% of global turnover, whichever is higher.
Art.36 in Multi-Jurisdiction Deployments
For processing that spans EU Member States, Art.36 intersects with the one-stop-shop mechanism (Art.60-76):
-
Lead SA determination: The controller consults the Lead SA (where the controller's main establishment is located). The Lead SA may involve Concerned SAs in the Art.60 cooperation procedure.
-
Consistency mechanism (Art.63-67): If the processing is likely to affect data subjects in multiple Member States, the lead SA may trigger the consistency mechanism before providing its Art.36 advice — extending the effective consultation timeline beyond 14 weeks.
-
Cross-border DPIA: A single DPIA covering all Member States is acceptable; it should reference the national variations in risk (e.g., German employer co-determination requirements for employee monitoring, French specific health data rules).
Practical implication: For SaaS platforms serving all EU markets, the DPC (Dublin, where most US tech companies are established in the EU) is frequently the lead SA. DPC has published specific Art.36 guidance and a pre-consultation meeting option before formal submission.
Integrating Art.36 Into the Software Delivery Lifecycle
Art.36 must become a deployment gate, not an afterthought. Practical integration points:
Sprint/Feature Gate
Add a DPIA flag to your feature specification template. Before any feature involving personal data processing enters development, the privacy engineering review asks: does this require a DPIA? If yes, the DPIA must be completed before the feature enters staging.
CI/CD Pipeline Integration
# .github/workflows/privacy-gate.yml
name: Privacy Compliance Gate
on:
push:
branches: [main]
jobs:
privacy-check:
runs-on: ubuntu-latest
steps:
- name: Check DPIA status
run: |
# Read DPIA registry
python3 scripts/check_dpia_gate.py --branch ${{ github.ref_name }}
# Fails if any processing in scope has:
# - residual_risk: unmitigatable_high AND
# - prior_consultation_status: not cleared_to_proceed
Architecture Decision Records (ADRs)
For any ADR involving personal data processing design choices, include a DPIA section:
## Privacy Impact
- Processing category: [describe]
- DPIA required: [Yes/No — reason]
- Residual risk level: [Low/Medium/High/Unmitigatable High]
- Art.36 prior consultation required: [Yes/No]
- Consultation case ID: [PC-XXXX if applicable]
- SA cleared to proceed: [Date or N/A]
Art.36 and AI Systems: Intersection with EU AI Act
The EU AI Act Art.9 (Risk Management System) and Art.10 (Data Governance) require high-risk AI systems to conduct risk assessments that substantially overlap with GDPR DPIAs. For AI systems that:
- Process biometric data (EU AI Act Annex III, point 1)
- Make employment or creditworthiness decisions (Annex III, points 4, 5)
- Perform real-time remote biometric identification (banned with narrow exceptions)
Both GDPR Art.35 DPIA and EU AI Act Art.9 risk assessment are required. The Art.36 prior consultation must address both frameworks — SAs increasingly coordinate with market surveillance authorities (MSAs) on high-risk AI submissions.
Practical rule: For any AI system that falls in EU AI Act Annex III and processes personal data, plan for:
- Combined DPIA + AI Act Art.9 risk assessment
- Art.36 prior consultation with Lead SA
- Art.40 DPA consultation under EU AI Act (where applicable)
- Timeline: 14–20 weeks minimum before deployment
GDPR Art.36 Developer Checklist
DPIA Completion (Prerequisites)
- DPIA conducted per Art.35 methodology (EDPB Guidelines 03/2020)
- Nine EDPB criteria evaluated (sensitivity, scale, matching, restriction, innovation, transfer, vulnerable subjects, profiling, automated decisions)
- DPO consulted under Art.35(8) — DPO opinion documented
- All proposed TOMs documented with specific controls (not generic assertions)
- Residual risk assessment completed after TOM application
Art.36 Trigger Assessment
- Residual risk categorised (Low/Medium/High/Unmitigatable High)
- If High: can additional TOMs reduce risk? — document analysis
- If Unmitigatable High: Art.36 prior consultation mandatory — do NOT proceed to processing
- Lead SA identified (main establishment location)
- SA-specific submission format/portal identified
Art.36(3) Submission Package
- Controller + processor responsibilities mapped (Art.36(3)(a))
- Purposes and means of processing documented (Art.36(3)(b))
- TOMs and safeguards described in detail (Art.36(3)(c))
- DPO contact details included (Art.36(3)(d))
- Full DPIA document attached (Art.36(3)(e))
- Any SA-specific requirements addressed (Art.36(3)(f))
- Submission package completeness verified before filing
Consultation Period Management
- Submission date recorded — 8-week deadline tracked
- Extension notification monitored (6-week extension = 14 weeks total)
- Processing gate enforced: NO deployment until cleared
- SA response documented with corrective measures (if any)
- If SA bans processing: corrective measures planned and tracked
Post-Consultation
- SA advice retained in compliance records (minimum retention: Art.5(2) accountability period)
- DPIA updated to reflect consultation outcome
- Corrective measures implemented and verified before go-live
- Ongoing monitoring plan for residual risks (Art.35(11) periodic review)
Relationship to Other GDPR Articles
Art.25 (Privacy by Design)
↓ Architecture choices documented
Art.30 (RoPA)
↓ Processing inventory feeds DPIA
Art.32 (TOMs — Security)
↓ TOMs applied, residual risk remains high
Art.35 (DPIA)
↓ Residual risk: UNMITIGATABLE HIGH
Art.36 (Prior Consultation) ←— THIS ARTICLE
↓ SA advice received / corrective measures
↓ Art.58(2) corrective powers if needed
Processing may proceed (or is banned)
↓ Ongoing
Art.33-34 (Breach Notification) — if incident occurs
Art.37-39 (DPO) — consulted at Art.35 and Art.36 stages
Art.57-58 (SA) — supervises the consultation
Art.60-76 (One-Stop-Shop) — multi-SA coordination
sota.io: Prior Consultation as a Data Processor
As an EU-native Platform-as-a-Service, sota.io operates as a data processor under Art.28 for customer workloads. Processor obligations under Art.36 are indirect but real:
-
Customer DPIAs: When a customer conducts a DPIA for processing on sota.io infrastructure, they need accurate TOM documentation from sota.io (Art.36(3)(c)). sota.io provides this through its security documentation and DPA.
-
Processor assistance: Art.28(3)(f) requires processors to "assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36." sota.io's compliance documentation (ISO 27001 controls, EUCS-aligned architecture, encryption specifications) is the processor contribution to the customer's Art.36 package.
-
Sub-processor notifications: If sota.io uses sub-processors (e.g., upstream cloud IaaS), customers must be notified under Art.28(2) — failure to notify could affect the completeness of a customer's Art.36 submission.
-
EU jurisdiction advantage: Processing on sota.io (EU infrastructure, EU jurisdiction, no CLOUD Act exposure) reduces third-country transfer risks that frequently elevate DPIA residual risk scores — making Art.36 prior consultation less likely to be required for customers who choose EU-native processors.
See Also
- GDPR Art.35: Data Protection Impact Assessment (DPIA) — The preceding step: when and how to conduct a DPIA
- GDPR Art.32: Security of Processing — TOMs & Encryption Developer Guide — TOMs that go into the Art.36(3) package
- GDPR Art.37-39: Data Protection Officer — Designation, Tasks & DPO Guide — DPO consulted at Art.35(8) and Art.36 stages
- GDPR Art.57-58: Supervisory Authority Tasks & Powers — Art.58(2) corrective powers available to SA during consultation
- GDPR Art.23-24: Controller Accountability & TOMs — Overall controller accountability framework
- GDPR Art.83-84: Administrative Fines & National Penalties — Fine framework for Art.36 violations