Article 31 GDPR

From GDPRhub
Article 31 - Cooperation with the supervisory authority
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]

Article 31 - Cooperation with the supervisory authority

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

Relevant Recitals[edit | edit source]

Recital 80

[...] Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.

Recital 82

[...] In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Commentary[edit | edit source]

Overview[edit | edit source]

Article 31 stipulates a legal obligation for controllers and processors to cooperate with the supervisory authority.

Cooperation[edit | edit source]

The term “cooperation” is not defined in the GDPR. [1] Whilst the Oxford Dictionary defines it as “the action or process of working together towards a shared aim[2], we are of the opinion that controllers and processors are not given the option to not cooperate.

Data protection authorities are given precise tasks to protect not only the data subject’s right but also the public interest as defined by the GDPR. From this perspective, Article 58(1) stipulates that supervisory authorities have investigative “powers” to “order” the controller and the processor “to provide any information it requires for the performance of its tasks”.

The scope of DPAs tasks is legally defined under Article 57(1) according to which each supervisory authority shall “monitor and enforce the application of this Regulation”, “handle complaints lodged by a data subject” as well as “conduct investigations on the application of this Regulation”.

In conclusion, if the “information” held by the controller is necessary for the authority to perform one of its tasks, then there seems to be very little for (not) cooperating. At the same time, proactive and good-faith behaviors can be taken into consideration by the DPA while deciding the amount of the administrative fine (Article 83(2)(f) GDPR).

[1] Kuner C, The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press 2020, pg. 627

[2] Oxford Dictionary – Academic English, “Cooperation” – accessed on the 29.10.2020

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 31 GDPR

References[edit | edit source]