gdpr-dpa-cooperation
GDPR Supervisory Authority Cooperation
Overview
Article 31 requires controllers and processors to cooperate, on request, with the supervisory authority in the performance of its tasks. This obligation is unconditional and applies to all interactions with data protection authorities, including formal investigations, audit requests, information requests, and complaint-driven inquiries. Non-cooperation can itself result in administrative fines under Art. 83(5)(e).
Types of Supervisory Authority Interactions
1. Information Requests (Art. 58(1)(a))
The supervisory authority may order the controller and processor to provide any information it requires for the performance of its tasks. Responses are typically required within 4 weeks unless a shorter deadline is specified.
2. Data Protection Audits (Art. 58(1)(b))
The authority may carry out investigations in the form of data protection audits, reviewing documentation, interviewing staff, and testing controls.
3. On-Site Inspections (Art. 58(1)(f))
The authority may obtain access to premises of the controller and the processor, including to any data processing equipment and means.
4. Complaint-Driven Investigations (Art. 77)
When a data subject lodges a complaint, the authority investigates and may request documentation, explanations, and corrective actions from the controller.