gdpr-dpa-cooperation

GDPR Supervisory Authority Cooperation

Overview

Article 31 requires controllers and processors to cooperate, on request, with the supervisory authority in the performance of its tasks. This obligation is unconditional and applies to all interactions with data protection authorities, including formal investigations, audit requests, information requests, and complaint-driven inquiries. Non-cooperation can itself result in administrative fines under Art. 83(5)(e).

Types of Supervisory Authority Interactions

1. Information Requests (Art. 58(1)(a))

The supervisory authority may order the controller and processor to provide any information it requires for the performance of its tasks. Responses are typically required within 4 weeks unless a shorter deadline is specified.

2. Data Protection Audits (Art. 58(1)(b))

The authority may carry out investigations in the form of data protection audits, reviewing documentation, interviewing staff, and testing controls.

3. On-Site Inspections (Art. 58(1)(f))

The authority may obtain access to premises of the controller and the processor, including to any data processing equipment and means.

4. Complaint-Driven Investigations (Art. 77)

When a data subject lodges a complaint, the authority investigates and may request documentation, explanations, and corrective actions from the controller.

5. Cross-Border Cooperation (Art. 56, 60-66)

In cross-border processing cases, the lead supervisory authority cooperates with concerned authorities under the consistency mechanism. Controllers may be required to provide information to multiple authorities.

Response Procedures

Receiving an Authority Request

1. Log the request: Record the date, authority, reference number, scope, and deadline in the regulatory correspondence register.
2. Notify key stakeholders immediately: DPO, General Counsel, CEO/Managing Director, and the relevant processing owner.
3. Assess scope: Determine which processing activities, documents, and personnel are in scope.
4. Legal privilege review: Identify any documents that may be subject to legal professional privilege and consult with external counsel.
5. Assemble response team: DPO (lead), legal counsel, relevant processing owners, IT/security (if technical information requested).

Preparing the Response

1. Gather evidence: Collect all requested documents from the accountability portfolio.
2. Verify accuracy: Cross-check all documents for consistency and currency before submission.
3. Draft response letter: Address each item requested with specific evidence or explanation.
4. Quality review: DPO and legal counsel review the complete response package.
5. Submit within deadline: Submit the response via the authority's preferred channel with delivery confirmation.
6. Archive: File a copy of the response in the regulatory correspondence register.

During On-Site Inspections

1. Preparation: Ensure the inspection room is prepared with relevant documentation available. Brief all staff who may be interviewed.
2. Escort protocol: Authority inspectors must be accompanied at all times by a designated representative.
3. Documentation: Record all questions asked, documents reviewed, and verbal statements made during the inspection.
4. Scope management: Politely but firmly ensure the inspection remains within the stated scope. Seek clarification from the authority if requests appear to go beyond the stated purpose.
5. Technical access: Provide access to systems as requested but ensure access is supervised and logged.
6. Post-inspection: Prepare a detailed internal record of the inspection. Identify any follow-up actions committed to.

Cooperation Obligations vs Legal Rights

While Art. 31 mandates cooperation, controllers and processors retain certain rights:

• Right to legal representation during interviews and inspections
• Right to claim legal professional privilege over attorney-client communications
• Right to request clarification of the legal basis and scope of the investigation
• Right to contest factual inaccuracies in authority findings
• Right to be heard before corrective measures are imposed (Art. 58(4))
• Right to judicial remedy against authority decisions (Art. 78)

Common Pitfalls

1. Delayed response: Missing the response deadline is itself a compliance failure that can result in fines.
2. Incomplete response: Providing partial information without explaining why certain items are unavailable.
3. Inconsistent documentation: Submitting documents that contradict each other or contradict the organisation's public privacy notice.
4. Uncoordinated communication: Multiple employees providing different answers to the authority.
5. Obstruction: Any action perceived as impeding the authority's investigation, including destroying documents, withholding information, or providing misleading statements.