Article 31 GDPR: Difference between revisions
Line 190: | Line 190: | ||
==Relevant Recitals== | ==Relevant Recitals== | ||
'' | <span id="r80"> | ||
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 80</div> | |||
<div class="mw-collapsible-content"> | |||
[...] Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. | |||
</div></div> | |||
<span id="r82"> | |||
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 82</div> | |||
<div class="mw-collapsible-content"> | |||
[...] In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations. | |||
</div></div> | |||
==Commentary== | ==Commentary== |
Revision as of 08:39, 4 November 2020
Legal Text
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Relevant Recitals
[...] Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.
[...] In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Commentary
Overview
Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.
Cooperation
The term “cooperation” is not defined in the GDPR. [1] Whilst the Oxford Dictionary defines it as “the action or process of working together towards a shared aim” [2], we are of the opinion that controllers and processors are not given the option to not cooperate.
Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “powers” to “order” the controller and the processor “to provide any information it requires for the performance of its tasks”.
The scope of DPAs tasks is legally defined under Article 57(1) according to which each supervisory authority shall “monitor and enforce the application of this Regulation”, “handle complaints lodged by a data subject” as well as “conduct investigations on the application of this Regulation”.
In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little for (not) cooperating. At the same time, proactive and good-faith behaviors can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).
[1] Kuner C, The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press 2020, pg. 627
[2] Oxford Dictionary – Academic English, “Cooperation” – accessed on the 29.10.2020
Decisions
→ You can find all related decisions in Category:Article 31 GDPR