Art.31 GDPR

GDPR Art.31: Cooperation with the Supervisory Authority

What This Control Requires

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

In Plain Language

When a Data Protection Authority comes calling, you cooperate. Article 31 is short and to the point: controllers, processors, and their representatives must work with supervisory authorities whenever asked. This covers investigations, audits, complaint handling, consultations, and any other regulatory task. Cooperation means responding to requests fully, honestly, and on time. It means providing requested documents, facilitating inspections, making staff available for interviews, granting access to systems and premises, and carrying out corrective measures when directed. Refusing to cooperate is itself a GDPR violation that can attract administrative fines - on top of whatever the original investigation was about. Organisations that stay on top of their compliance documentation have a much easier time when regulators engage. If your RoPA is current, your policies are in order, your breach logs are maintained, and your governance structure is clear, a regulatory enquiry becomes a manageable process rather than a scramble. The accountability work you do proactively pays off directly when it matters most.

How to Implement

Designate a primary contact point for all supervisory authority communications - typically your DPO or legal counsel. Make sure everyone in the organisation knows to escalate any regulatory contact to this person immediately, without attempting to handle it themselves. Speed and coordination matter in these situations. Develop response protocols for different types of regulatory engagement. An informal information request calls for a different approach than a dawn raid or a formal enforcement proceeding. For each scenario, define who needs to be involved, what information will need to be gathered, how responses should be reviewed and approved, and when outside legal advice is needed. Keep your compliance documentation ready for inspection at all times. Your RoPA, policies, DPIAs, DPAs, training records, breach logs, and data subject request records should be current, accessible, and well-organised. Being able to produce comprehensive documentation quickly makes a significant difference in how a regulatory interaction unfolds. Train staff who might interact with supervisory authorities during investigations or audits. They need to understand the cooperation obligation, the importance of providing accurate information, the limits of what they should discuss without legal counsel present, and how to handle requests for system access or site visits. A well-prepared team is far less likely to make costly mistakes under pressure. Log every interaction with supervisory authorities. Record the date, what was requested or discussed, what you provided, what actions you took, and the outcome. This supports accountability, helps you spot patterns in regulatory focus areas, and gives you a reference point for future engagement.

Evidence Your Auditor Will Request

Designated contact point and procedure for supervisory authority communications
Response protocols for different types of regulatory engagement
Up-to-date compliance documentation ready for regulatory inspection
Staff training records on supervisory authority interaction protocols
Log of all supervisory authority interactions and responses

Common Mistakes

No designated contact point for supervisory authority communications, leading to delayed or uncoordinated responses
Compliance documentation not readily accessible or not up-to-date when requested
Staff providing incomplete, inaccurate, or inconsistent information to supervisory authorities
Delaying or obstructing supervisory authority investigations or audits
No established procedure for handling regulatory engagement, leading to ad-hoc and potentially damaging responses

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.5	Related

Frequently Asked Questions

What are the consequences of not cooperating with a supervisory authority?

Fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher) under Article 83(4)(a). Beyond the fine itself, non-cooperation tends to make regulators less sympathetic to your position on the underlying issue. They may draw adverse inferences, impose harsher penalties, or escalate their use of investigative powers. It's almost never worth the risk.

Are we required to provide information that might incriminate us?

The cooperation obligation is broad, but it doesn't override fundamental rights, including the privilege against self-incrimination. How far that privilege extends in GDPR proceedings depends on the Member State. As a general rule, you're expected to provide factual information and documents, but get legal advice before handing over anything that could be used in criminal proceedings.

Can we request time to respond to supervisory authority inquiries?

Yes, and it's perfectly normal to do so. Supervisory authorities generally understand that gathering information takes time and will allow reasonable deadlines. The key is to communicate proactively - tell them you need more time and give a realistic timeline. That's very different from stonewalling or going quiet, which is what gets organisations into trouble.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment