Prior consultation with the HDPA is set out in Article 36(1) GDPR, where a data protection impact assessment (hereafter DPIA) (Article 35 GDPR) indicates that processing operations involve a high risk which the controller cannot adequately mitigate by appropriate measures (Recitals 84 and 94 GDPR).
The controller can submit a prior consultation request to the HDPA provided that the controller has verified that the necessary formal criteria for completeness of the DPIA relating to the request for consultation are met under the relevant framework included in section “Data protection impact assessment”.
The prior consultation request must include at least a detailed description of residual high risks and their potential consequences as well as a detailed documentation of the reasons for which:
measures to reduce the high risk involved to an acceptable level cannot be adopted, especially in terms of available technologies and costs of implementation (Recitals 84 and 94 GDPR), and
it is necessary to perform the processing despite the residual high risks. It must also include what is set out in Article 36(3) GDPR and have the DPIA attached to it.