On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.
1. The right to data portability
The WP29’s guidelines provide information on the implementation, interpretation and scope of the right to data portability. In particular, the guidelines conclude that:
- the right to data portability applies to data provided by the data subject actively and knowingly (for example, a mailing address or user name). It also applies to data “provided” by the data subject by virtue of the use of a device or a service (for example, search history and location data);
- the right to data portability does not apply to inferred or derived data generated by a data controller on the basis of raw data provided by the data subject (for example, a credit score);
- the right to data portability cannot be undermined or limited to the personal data directly communicated by the data subject via, for example, an online form; and
- data controllers should start developing systems to answer data portability requests, such as download tools and Application Programming Interfaces. Personal data should be transmitted by data controllers in a structured, commonly used and machine-readable format.
The WP29 also recommend that industry stakeholders and trade associations work together to produce a set of interoperable standards and formats to deliver the right to data portability. The WP29’s draft guidelines on the right to data portability are available here. The FAQs are available here.
2. Data protection officers
The WP29’s guidelines provide an explanation of the mandatory and voluntary designation of a DPO, including considerations for the appointment of a DPO at corporate group level. It should be noted that the guidelines confirm that the triggers for the mandatory DPO designation requirement are substantial and that many companies will therefore not be required to appoint a DPA. Nevertheless, the WP29 recommends that unless it is obvious that the mandatory designation requirement does not apply, controllers and processors should document the internal analysis carried out to determine whether a DPO is required.
The guidelines also provide key definitions for the designation obligation and consider the position of the DPO, its role within a company, and the tasks which are expected of the DPO. These include compliance monitoring, record keeping, carrying out data protection impact assessments and risk management. The guidelines also detail the resources that should be provided to the DPO, which include active support by senior management, and “adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate.” The guidance also makes clear that, while DPOs have significant responsibilities, they “are not personally responsible for non-compliance” with the laws. Ultimate responsibility for violations rests with the data controllers and data processors.
3. Lead supervisory authority
The WP29’s guidelines provide helpful guidance for companies to determine who is the lead supervisory authority where a company carries out cross-border processing of personal data, known as the One-Stop-Shop principle. Cross-border processing occurs where:
- processing of personal data occurs in the “context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one EU Member State;” or
- processing of personal data takes place in the context of activities of a single establishment of a controller or processor, but is likely to or does “substantially affect” data subjects of multiple Member States. There is no quantitative or qualitative threshold for substantial affects, rather Supervisory Authorities will interpret “substantially affects” on a case by case basis.
The guidelines make it clear that the GDPR does not permit “forum shopping.” Nevertheless, the WP29 also stressed that internal decision making on privacy and data protection matters can also affect the choice of a lead DPA, and thus should be considered when structuring data protection compliance programs. The guidelines also state that where a company does not have an establishment in the EU, the One-Stop-Shop principle does not apply and it must deal with supervisory authorities in every EU Member State in which it is active.