|
|
Line 199: |
Line 199: |
|
| |
|
| === Cooperation === | | === Cooperation === |
| The term “''cooperation''” is not defined in the GDPR.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).</ref> Whilst the Oxford Dictionary defines it as “''the action or process of working together towards a shared aim''”,<ref>Oxford Dictionary – Academic English, [https://www.oxfordlearnersdictionaries.com/definition/english/cooperation?q=Cooperation “Cooperation”] – accessed on 29 October 2020.</ref> we are of the opinion that controllers and processors are not given the option to not cooperate.
| | Article 31 establishes a legal obligation for controllers and processors, including their representatives, to cooperate with the supervisory authority when exercising its tasks.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).</ref> Under [[Article 57 GDPR|Article 57(1) GDPR]], each supervisory authority shall “''monitor and enforce the application of this Regulation''” as well as “''conduct investigations on the application of this Regulation''”. Article 58(1) requires the controller and the processor “''to provide any information it requires for the performance of its tasks''”. In conclusion, if the “''information''” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little room for (not) cooperating. Violations of the obligation to cooperate are punishable under Article 83(4)(a) GDPR. At the same time, proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine ([[Article 83 GDPR|Article 83(2)(f) GDPR]]). |
| | |
| Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “''powers''” to “''order''” the controller and the processor “''to provide any information it requires for the performance of its tasks''”.
| |
| | |
| The scope of DPAs tasks is legally defined under [[Article 57 GDPR|Article 57(1) GDPR]] according to which each supervisory authority shall “''monitor and enforce the application of this Regulation''”, “''handle complaints lodged by a data subject''” as well as “''conduct investigations on the application of this Regulation''”.
| |
| | |
| In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little for (not) cooperating. At the same time, proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine ([[Article 83 GDPR|Article 83(2)(f) GDPR]]). | |
| ==Decisions== | | ==Decisions== |
| → You can find all related decisions in [[:Category:Article 31 GDPR]] | | → You can find all related decisions in [[:Category:Article 31 GDPR]] |
← Article 31 - Cooperation with the supervisory authority →
|
|
Chapter 1: General provisions
Chapter 3: Rights of the data subject
Chapter 4: Controller and processor
Chapter 5: Transfers of personal data
Chapter 6: Supervisory authorities
Chapter 7: Cooperation and consistency
Chapter 8: Remedies, liability and penalties
Chapter 9: Specific processing situations
Chapter 10: Delegated and implementing acts
Chapter 11: Final provisions
|
Legal Text
Article 31 - Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Relevant Recitals
Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
Recital 82: Maintenance and Availability of Records
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Overview
Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.
Cooperation
Article 31 establishes a legal obligation for controllers and processors, including their representatives, to cooperate with the supervisory authority when exercising its tasks.[1] Under Article 57(1) GDPR, each supervisory authority shall “monitor and enforce the application of this Regulation” as well as “conduct investigations on the application of this Regulation”. Article 58(1) requires the controller and the processor “to provide any information it requires for the performance of its tasks”. In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little room for (not) cooperating. Violations of the obligation to cooperate are punishable under Article 83(4)(a) GDPR. At the same time, proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).
Decisions
→ You can find all related decisions in Category:Article 31 GDPR
References
- ↑ Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).