On December 16, 2016, the Article 29 Data Protection Working Party (“WP29”) published guidelines and FAQs on the forthcoming General Data Protection Regulation (the “GDPR”) addressing the following three key issues:
- Data Protection Officers (“DPOs”) (WP 243)
- The right to “data portability” (WP 242)
- The identification of the lead supervisory authority (WP244)
The published guidelines are based on input from various stakeholders, including the workshop (Fablab) that the WP29 organised in July 2016 (for the summary of the discussions at the Fablab, see here).
DPOs
The WP29 encourages organisations to designate a DPO on a voluntary basis. In the guidelines WP29 provides more detail regarding the designation requirements and further defines what is meant by “core activities”, “large scale”, and “regular and systematic monitoring”. Also addressed are the conditions necessary for the designation of a single DPO for a group of related companies, the required expertise of the DPO (which may be an organisation’s employee or appointed via a service contract), the tasks a DPO is required to undertake, and issues relating to DPOs of processors.
Right to Data Portability
The WP29 adopts a very broad interpretation of the scope of the right to data portability, suggesting the right does not only cover data provided knowingly and actively by the data subject (for example, by completing an online form), but also data generated by and collected from the activities of users (basically raw data collected by virtue of the use of the service or the device as opposed to inferred or derived data, such as data generated through the subsequent analysis of the data subject through the use of cookies).
The WP29 distinguishes two elements of the right to data portability, namely (i) the right to receive personal data and store it further for personal use on a device, and (ii) the right to transmit the data to another controller, without hindrance. The right to data portability is limited to cases where the processing of personal data is based on consent or contract, but the WP29 considers it a good practice in other cases. The personal data must concern the data subject; in other words, anonymous data is out of scope, whilst pseudonymous data is within scope if it can be clearly linked to a data subject.
Identifying the Lead Supervisory Authority
The guidelines, which also contain a useful checklist for controllers and processors, explains how to determine the lead or otherwise competent Supervisory Authority (“SA”) in a number of different scenarios, including by way of examples. Importantly, the WP29 recognises that there will be borderline and complex situations in which the determination of the lead SA will be difficult; if the SAs have conflicting view, the European Data Protection Board will need to take a decision. The WP29 notes that companies without an “establishment” within the EU cannot benefit from the “one stop shop” but must deal with the local SAs in every Member State they are active in.
Next Steps
Stakeholders have until the end of January 2017 to comment on the published guidelines, and in 2017, the WP29 will publish guidelines on Data Protection Impact Assessments and Certification. In April 2017, a new Fablab on GDPR with interested stakeholders will occur, and in May 2017, the WP29 will host a meeting with its international counterparts.