Article 31 GDPR: Difference between revisions

From GDPRhub
(Review)
Line 208: Line 208:


=== Cooperation ===
=== Cooperation ===
The term “''cooperation''” is not defined in the GDPR.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).</ref> Whilst the Oxford Dictionary defines it as “''the action or process of working together towards a shared aim''”,<ref>Oxford Dictionary – Academic English, [https://www.oxfordlearnersdictionaries.com/definition/english/cooperation?q=Cooperation “Cooperation”] – accessed on 29 October 2020</ref> we are of the opinion that controllers and processors are not given the option to not cooperate.
The term “''cooperation''” is not defined in the GDPR.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).</ref> Whilst the Oxford Dictionary defines it as “''the action or process of working together towards a shared aim''”,<ref>Oxford Dictionary – Academic English, [https://www.oxfordlearnersdictionaries.com/definition/english/cooperation?q=Cooperation “Cooperation”] – accessed on 29 October 2020.</ref> we are of the opinion that controllers and processors are not given the option to not cooperate.


Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “''powers''” to “''order''” the controller and the processor “''to provide any information it requires for the performance of its tasks''”.
Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “''powers''” to “''order''” the controller and the processor “''to provide any information it requires for the performance of its tasks''”.

Revision as of 13:26, 18 August 2021

Article 31 - Cooperation with the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 31 - Cooperation with the supervisory authority


The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

Relevant Recitals

Recital 80

[...] Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.

Recital 82

[...] In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Commentary

Overview

Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.

Cooperation

The term “cooperation” is not defined in the GDPR.[1] Whilst the Oxford Dictionary defines it as “the action or process of working together towards a shared aim”,[2] we are of the opinion that controllers and processors are not given the option to not cooperate.

Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “powers” to “order” the controller and the processor “to provide any information it requires for the performance of its tasks”.

The scope of DPAs tasks is legally defined under Article 57(1) GDPR according to which each supervisory authority shall “monitor and enforce the application of this Regulation”, “handle complaints lodged by a data subject” as well as “conduct investigations on the application of this Regulation”.

In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little for (not) cooperating. At the same time, proactive and good-faith behaviours can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).

Decisions

→ You can find all related decisions in Category:Article 31 GDPR

References

  1. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 31 GDPR, p. 627 (Oxford University Press 2020).
  2. Oxford Dictionary – Academic English, “Cooperation” – accessed on 29 October 2020.