Article 31 GDPR: Difference between revisions

From GDPRhub
Line 199: Line 199:
Article 31 GDPR establishes a legal obligation for controllers and processors, including their representatives, to cooperate with DPAs “''in the exercise of'' [their] ''tasks''”.
Article 31 GDPR establishes a legal obligation for controllers and processors, including their representatives, to cooperate with DPAs “''in the exercise of'' [their] ''tasks''”.


Under [[Article 57 GDPR|Article 57(1) GDPR]], each supervisory authority shall, among the others, “''monitor and enforce the application of this Regulation''” as well as “''conduct investigations on the application of this Regulation''”. Article 58(1) GDPR requires the controller and the processor “''to provide any information it requires for the performance of its tasks''”.  
In general terms, the content of the obligation to cooperate is therefore initially based on the - very wide - tasks and powers of the supervisory authority. For instance, under [[Article 57 GDPR|Article 57(1) GDPR]], each supervisory authority shall, among the others, “''monitor and enforce the application of this Regulation''” as well as “''conduct investigations on the application of this Regulation''”. Article 58(1) GDPR requires the controller and the processor “''to provide any information it requires for the performance of its tasks''”.  
 
In addition to these general clauses, the GDPR includes specific cases of cooperation with the supervisory authority. For instance, further cooperation obligations arise from Article 30(4), which requires the provision of records of processing activities upon request, and Article 33(1) and (2), which mandate the obligation to report a data breach.
 
The tasks and powers outlined in Articles 57 and 58 as well as in other specific provisions of the GDPR (see above) always involve a certain degree of cooperation. On the controller's side, this encompasses both obligations to actively collaborate with the authority or passively tolerate a certain action, depending on the specific task or power being carrying out. For instance, Article 58(1)(a) regarding the provision of information implies a duty to actively cooperate, while Article 58(1)(e) regarding access to personal data establishes an obligation to simply tolerate the presence of the authority's staff.<ref>''Bogendorfer'', in Knyrim, DatKomm, Article 31 GDPR, margin number 4 (Manz 2022).</ref>


Providing information can conflict with the right against self-incrimination.  
Providing information can conflict with the right against self-incrimination.  

Revision as of 10:14, 6 June 2023

Article 31 - Cooperation with the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 31 - Cooperation with the supervisory authority

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

Relevant Recitals

Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Recital 82: Maintenance and Availability of Records
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Commentary

Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.

Cooperation

Article 31 GDPR establishes a legal obligation for controllers and processors, including their representatives, to cooperate with DPAs “in the exercise of [their] tasks”.

In general terms, the content of the obligation to cooperate is therefore initially based on the - very wide - tasks and powers of the supervisory authority. For instance, under Article 57(1) GDPR, each supervisory authority shall, among the others, “monitor and enforce the application of this Regulation” as well as “conduct investigations on the application of this Regulation”. Article 58(1) GDPR requires the controller and the processor “to provide any information it requires for the performance of its tasks”.

In addition to these general clauses, the GDPR includes specific cases of cooperation with the supervisory authority. For instance, further cooperation obligations arise from Article 30(4), which requires the provision of records of processing activities upon request, and Article 33(1) and (2), which mandate the obligation to report a data breach.

The tasks and powers outlined in Articles 57 and 58 as well as in other specific provisions of the GDPR (see above) always involve a certain degree of cooperation. On the controller's side, this encompasses both obligations to actively collaborate with the authority or passively tolerate a certain action, depending on the specific task or power being carrying out. For instance, Article 58(1)(a) regarding the provision of information implies a duty to actively cooperate, while Article 58(1)(e) regarding access to personal data establishes an obligation to simply tolerate the presence of the authority's staff.[1]

Providing information can conflict with the right against self-incrimination.

In Orkem, the CJEU clarifies[2] that “documents, even with incriminating content, must be delivered”.[3]

Violations of this obligation are punishable under Article 83(4)(a) GDPR, but proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).

Decisions

→ You can find all related decisions in Category:Article 31 GDPR

References

  1. Bogendorfer, in Knyrim, DatKomm, Article 31 GDPR, margin number 4 (Manz 2022).
  2. CJEU, Case C-374/87, Orkem, 18 October 1989 (available here).
  3. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 31 GDPR, p. 628 (Oxford University Press 2020).