When people talk about GDPR compliance, they usually focus on consent, data subject rights, fines, or security breaches. Yet one short provision quietly underpins the entire enforcement mechanism of the GDPR: Article 31. While it contains only a single sentence, its implications are broad and serious. Article 31 requires controllers and processors to cooperate with supervisory authorities whenever those authorities are performing their tasks.
This obligation is not optional, conditional, or limited to investigations involving violations. It applies proactively and reactively, during audits, inquiries, complaints, breach investigations, or informal requests for clarification. In practice, Article 31 governs how organizations behave when a regulator comes knocking — and often determines whether an inquiry remains manageable or escalates into enforcement action.
The Legal Text of GDPR Article 31 (In Plain Language)
Article 31 states, in essence, that:
Controllers and processors must cooperate, on request, with the supervisory authority in the performance of its tasks.
While deceptively simple, this sentence creates a binding legal duty with several implicit requirements:
-
Cooperation must be active, not passive
-
Cooperation must occur upon request, not only after violations
-
Cooperation applies to both controllers and processors
-
Cooperation is required for all supervisory tasks, not only enforcement
Article 31 does not describe how to cooperate in detail, which means organizations must interpret it in light of the GDPR’s broader principles: transparency, accountability, and good faith.
Who Is Obligated Under Article 31?
Controllers
A controller is the entity that determines the purposes and means of processing personal data. Controllers bear primary responsibility for GDPR compliance and are typically the first point of contact for supervisory authorities.
Under Article 31, controllers must:
-
Respond to regulatory inquiries
-
Provide requested documentation
-
Facilitate inspections or audits
-
Clarify processing activities
-
Support investigations involving complaints or breaches
Failure by a controller to cooperate can itself be treated as a compliance failure — even if the underlying data processing is lawful.
Processors
Processors act on behalf of controllers and process personal data under instructions. Article 31 explicitly applies to processors as well, meaning they cannot hide behind contractual arrangements or defer entirely to controllers.
Processors must:
-
Respond directly to supervisory authorities when requested
-
Provide evidence of compliance with Article 28 obligations
-
Assist in investigations related to security, subcontractors, or breaches
A processor’s refusal or delay can expose both the processor and the controller to regulatory consequences.
What Does “Cooperate” Actually Mean?
The GDPR deliberately leaves the term “cooperate” open-ended, but supervisory authorities interpret it broadly. In practice, cooperation includes several concrete behaviors.
Timely and Complete Responses
Organizations are expected to respond within the timeframes specified by regulators. Ignoring emails, missing deadlines, or providing partial answers may be interpreted as non-cooperation.
Honest and Accurate Information
Providing misleading, evasive, or knowingly incorrect information violates the spirit of Article 31 and may worsen enforcement outcomes.
Access to Documentation
Authorities may request:
-
Records of processing activities
-
Data protection policies
-
Data processing agreements
-
Security procedures
-
Breach documentation
Organizations must be able to produce these promptly.
Facilitation of Investigations
This may include allowing audits, answering follow-up questions, or coordinating with technical staff, legal teams, or data protection officers.
Article 31 and the Principle of Accountability
Article 31 reinforces the GDPR’s accountability principle. Accountability is not just about internal compliance — it is about demonstrating compliance when asked.
An organization that has strong internal controls but refuses to explain them to regulators is still failing under Article 31. Conversely, organizations that engage openly and constructively with authorities often benefit from reduced sanctions or informal resolutions.
Supervisory authorities consistently emphasize that cooperation is a mitigating factor when assessing fines.
Consequences of Failing to Cooperate
While Article 31 does not specify penalties, failure to cooperate can trigger enforcement under other GDPR provisions.
Potential consequences include:
-
Administrative fines
-
Orders to suspend or restrict processing
-
Mandatory audits
-
Increased scrutiny in future investigations
In many enforcement cases, regulators explicitly cite lack of cooperation as an aggravating factor, sometimes resulting in higher fines than the original violation alone would justify.
Article 31 in Practice: Common Scenarios
Article 31 applies in far more situations than many organizations expect. Cooperation duties arise in everyday regulatory interactions, not only during major breaches.
Typical triggers include:
-
A data subject complaint
-
A routine compliance inquiry
-
A breach notification review
-
A sector-wide investigation
-
A cross-border cooperation request
In all these cases, regulators expect calm, structured, and cooperative engagement.
Five Practical Examples of GDPR Article 31 in Action
Example 1: Responding to a Data Subject Complaint
A supervisory authority contacts a company after receiving a complaint from an individual claiming their access request was ignored. Under Article 31, the company must cooperate by explaining its procedures, providing correspondence records, and clarifying timelines.
Even if the company believes it acted correctly, refusing to engage or delaying responses would violate Article 31. Cooperation does not mean admitting fault — it means engaging transparently.
Example 2: Processor Cooperation During a Breach Investigation
A cloud service provider acting as a processor experiences a security incident. The supervisory authority contacts the processor directly, requesting details about encryption, access controls, and subcontractors.
Under Article 31, the processor must cooperate independently, not merely tell the authority to “contact the controller.” Failure to do so may expose the processor to direct enforcement action.
Example 3: Cross-Border Regulatory Cooperation
A multinational company is subject to a lead supervisory authority in one EU country, but another authority raises questions related to local data subjects.
Article 31 obligates the company to cooperate fully with the lead authority, knowing that information may be shared across borders. Selective disclosure or obstruction can complicate the one-stop-shop mechanism and escalate enforcement.
Example 4: On-Site Audit or Inspection
A supervisory authority announces an audit focusing on employee data processing. The organization must cooperate by granting access to relevant systems, policies, and staff.
Attempting to limit access unjustifiably, refusing interviews, or withholding documents would be viewed as non-cooperation under Article 31 — even if no substantive GDPR violation is found.
Example 5: Informal Clarification Request
A regulator sends an informal email asking how a specific processing activity complies with GDPR principles. Even though this is not a formal investigation, Article 31 still applies.
Ignoring the request or responding dismissively may convert an informal inquiry into a formal investigation, increasing risk unnecessarily.
Article 31 and the Role of the Data Protection Officer
Where a Data Protection Officer (DPO) is appointed, they often act as the primary liaison with supervisory authorities. Article 31 reinforces the importance of this role.
Organizations should ensure that:
-
The DPO has authority to engage with regulators
-
The DPO has access to necessary documentation
-
Internal teams support the DPO promptly
However, Article 31 obligations apply to the organization as a whole — responsibility cannot be shifted entirely onto the DPO.
Best Practices for Complying with Article 31
To comply effectively with Article 31, organizations should adopt proactive measures rather than reacting under pressure.
Key practices include:
-
Maintaining up-to-date records of processing
-
Establishing internal response procedures for regulatory inquiries
-
Training staff on regulator communications
-
Designating clear points of contact
-
Treating regulators as oversight partners, not adversaries
Organizations that prepare in advance typically experience smoother, faster, and less adversarial regulatory interactions.
Relationship Between Article 31 and Other GDPR Articles
Article 31 works in tandem with several other GDPR provisions, particularly those related to documentation, breach notification, and accountability. Without cooperation, compliance with these other obligations becomes meaningless in practice.
Article 31 effectively ensures that the GDPR is enforceable, transparent, and consistent across the EU.
Conclusion: Cooperation Is a Legal Duty, Not a Courtesy
GDPR Article 31 may be short, but it carries significant weight. It establishes a clear expectation that organizations handling personal data must engage openly, honestly, and constructively with supervisory authorities.
Cooperation is not about surrendering rights or admitting guilt. It is about demonstrating accountability, professionalism, and respect for data protection law. In many cases, how an organization cooperates matters just as much as what it did wrong — or whether it did anything wrong at all.