§ GDPR · Article 36
GDPR Article 36: Obligations, Deadlines & Penalties
At a glance
Article 36 of the GDPR imposes 10 obligations on Member States, controller, supervisory authority. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 36
Obligation 1
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of mitigating measures.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
consult
- Deadline
-
prior to processing
- Penalty
-
—
Obligation 2
The supervisory authority shall provide written advice to the controller and, where applicable, the processor, within a period of up to eight weeks of receipt of the request for consultation if it believes the processing infringes the Regulation.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
supervisory authority
- Action required
-
provide written advice
- Deadline
-
within period of up to eight weeks of receipt of the request
- Penalty
-
—
Obligation 3
The supervisory authority shall inform the controller and, where applicable, the processor, of any extension of the consultation period within one month of receipt of the request, together with the reasons for the delay.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
supervisory authority
- Action required
-
inform
- Deadline
-
within one month of receipt of the request
- Penalty
-
—
Obligation 4
When consulting the supervisory authority, the controller shall provide the respective responsibilities of the controller, joint controllers, and processors involved in the processing.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 5
When consulting the supervisory authority, the controller shall provide the purposes and means of the intended processing.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 6
When consulting the supervisory authority, the controller shall provide the measures and safeguards provided to protect the rights and freedoms of data subjects.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 7
When consulting the supervisory authority, the controller shall provide the contact details of the data protection officer, where applicable.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 8
When consulting the supervisory authority, the controller shall provide the data protection impact assessment provided for in Article 35.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 9
When consulting the supervisory authority, the controller shall provide any other information requested by the supervisory authority.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
when consulting
- Penalty
-
—
Obligation 10
Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
Regulation (EU) 2016/679, Article 36, Article 36
- Obligated entity
-
Member States
- Action required
-
consult
- Deadline
-
during the preparation
- Penalty
-
—
§ Frequently asked
Questions about Article 36
Who must comply with Article 36 of the GDPR?
+
Member States, controller, supervisory authority.
What does Article 36 of the GDPR require?
+
consult provide written advice inform
What is the compliance deadline for GDPR Article 36?
+
during the preparation; prior to processing; when consulting; within one month of receipt of the request; within period of up to eight weeks of receipt of the request