← Article 31 - Cooperation with the supervisory authority →
|
|
Chapter 1: General provisions
Chapter 3: Rights of the data subject
Chapter 4: Controller and processor
Chapter 5: Transfers of personal data
Chapter 6: Supervisory authorities
Chapter 7: Cooperation and consistency
Chapter 8: Remedies, liability and penalties
Chapter 9: Specific processing situations
Chapter 10: Delegated and implementing acts
Chapter 11: Final provisions
|
Legal Text
Article 31 - Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Relevant Recitals
Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
Recital 82: Maintenance and Availability of Records
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.
Cooperation
Article 31 GDPR establishes a legal obligation for controllers and processors, including their representatives, to cooperate with the supervisory authority when exercising its tasks. The provision clearly obligates controllers and processors to cooperate with DPAs “in the exercise of its tasks”. Under Article 57(1) GDPR, each supervisory authority shall “monitor and enforce the application of this Regulation” as well as “conduct investigations on the application of this Regulation”. Article 58(1) GDPR requires the controller and the processor “to provide any information it requires for the performance of its tasks”. As Kotschy mentions, providing information can conflict with the right against self-incrimination. In this regard, Kotschy states, it follows from the CJEU decision Orkem,[1] that “documents, even with incriminating content, must be delivered”.[2] Violations of this obligation are punishable under Article 83(4)(a) GDPR, but proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).
Decisions
→ You can find all related decisions in Category:Article 31 GDPR
References
- ↑ CJEU, Case C-374/87, Orkem, 18 October 1989 (available here).
- ↑ Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 31 GDPR, p. 628 (Oxford University Press 2020).