Article 31 GDPR
|← Article 31 - Cooperation with the supervisory authority →|
Legal Text[edit | edit source]
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Relevant Recitals[edit | edit source]
Commentary[edit | edit source]
Overview[edit | edit source]
Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.
Cooperation[edit | edit source]
The term “cooperation” is not defined in the GDPR.  Whilst the Oxford Dictionary defines it as “the action or process of working together towards a shared aim” , we are of the opinion that controllers and processors are not given the option to not cooperate.
Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “powers” to “order” the controller and the processor “to provide any information it requires for the performance of its tasks”.
The scope of DPAs tasks is legally defined under Article 57(1) according to which each supervisory authority shall “monitor and enforce the application of this Regulation”, “handle complaints lodged by a data subject” as well as “conduct investigations on the application of this Regulation”.
In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little for (not) cooperating. At the same time, proactive and good-faith behaviors can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).
 Kuner C, The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press 2020, pg. 627
 Oxford Dictionary – Academic English, “Cooperation” – accessed on the 29.10.2020
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 31 GDPR