1. 當資料保護影響評估依第 35條顯現若控管者未採取降低風險之措 施，該處理將導致高風險時，控管者應於處理前諮詢監管機關。
1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2. 當監管機關認為第 1 項所稱之處理將違反本規則，尤其是當控管 者未能完全指出或減低風險時，監管機關應於收受諮詢請求後 8 周內， 提供書面意見予控管者並視情形予處理者，並得行使其於第 58 條所 載之任何權力。該期間可因處理之複雜程度再延長 6 周。監管機關應 於收受諮詢請求後 1 個月內通知控管者並視情形通知處理者上開延 期情況及延期原因。該等期間得中止至監管機關取得提供諮詢所需之 資訊。
2. Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
3. 依第 1 項諮詢監管機關時，控管者應提供監管機關：
3. When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
(a) 於可適用時，涉及處理之控管者、共同控管者及處理者分別之責 任，尤其是在企業集團內所為之處理；
(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
4. 會員國應於提出將由國會採納之立法措施建議之準備期間，或依 該立法措施之管制措施的準備期間，視何者與處理有關，而諮詢監管 機關。
4. Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5. 會員國法得不受第 1 項之拘束，要求控管者針對由控管者為公共 利益履行任務之處理，包含與社會保護及公共健康有關之處理，諮詢 並自監管機關取得事前授權。
5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(94) 當資料保護影響評估指出某處理在缺乏保護措施、安全措施及 機制以降低風險時可能導致對當事人之權利與自由有高風險，且控管 者同意該風險無法在可及技術及執行成本下以合理措施降低時，應於 處理活動開始前向監管機關諮詢。此種高風險可能肇因於某類型之處 理及處理之程度與頻率，也可能導致損害之實現與對當事人之權利與自由之干擾。監管機關應於特定期限內回應諮詢之請求。然而，監管 機關於一定期限內之不作為不應損及監管機關依照本規則所定之任 務與權力所為之任何介入。作為諮詢過程之一部分，為待決資料處理 所執行之資料保護影響評估結果得提交予監管機關，尤其是預定用以 降低對當事人權利與自由之風險的措施。
(94) Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. The supervisory authority should respond to the request for consultation within a specified period. However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.
(95) The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.
(96) A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.2.
Here is the relevant paragraph to article 36 GDPR:
5.2.2 Understanding the needs and expectations of interested parties
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.