On 13 December 2016, the Article 29 Data Protection Working Party (WP29) adopted a series of guidelines and frequently asked questions on the following aspects of the General Data Protection Regulation (GDPR):
The guidelines explain that the new right to data portability created under Article 20 of the GDPR is made up of the following elements:
It is worth noting that the GDPR only establishes a right to data portability where data processing is 'carried out by automated means' (thereby excluding paper files). The right to data portability also applies where the processing is carried out either with the data subject's consent or pursuant to a contract. The personal data requested should 'concern the data subject and be provided by him.
In both the guidelines and the FAQs, WP29 is keen to emphasise that it considers the right should cover not only data provided knowingly and actively by the data subject but also personal data generated by his or her activity. This would include personal data generated by the individual's use of a service, for example internet search history or raw data collected by fitness trackers. However, it would not include data created by the data controller, such as a user profile created by analysing raw data from smart meters. WP29 also recommends that data controllers should clearly inform data subjects which types of data are subject to the right of data portability.
The guidelines set out best practice tips on authentication of a data subject, the expected format for the provision of data, how to deal with large or complex personal data collection and security issues on transmission.
WP29 'strongly encourages' industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.
The guidelines explain that the appointment of a Data Protection Officer (DPO) is a key part of the compliance framework for organisations that are required under the GDPR to appoint one. The WP29 also encourages the designation of a DPO on a voluntary basis even where organisations are not required to appoint one.
The GDPR requires data controllers and data processors to appoint a DPO where:
The guidelines and FAQs contain direction on the following key points:
Where a controller or processor carries out cross-border processing of personal data within the EU, that controller or processor will need to designate a 'lead supervisory authority'.
The lead supervisory authority will have primary responsibility for dealing with cross-border processing activities and will coordinate investigations into breaches by the controller or processor. 'Cross-border' activities can include processing in the context of activities of a controller or processor established in several Member States, as well as processing by a controller or processor established in one Member State where the processing substantially affects data subjects in more than one Member State.
For data controllers, the lead authority will be the authority in the country in which the decisions about the purposes and means of processing of personal data are taken. Sometimes it may be possible to have more than one lead authority for a particular controller. For example, if a controller has a particular department established in a different Member State from its normal headquarters, there may be different lead authorities for different types of cross-border processing activities.
The guidelines emphasise the importance of identifying precisely where decisions on purposes and means of processing are made in relation to the processing activities carried out by the controller.
In relation to groups of undertakings, the lead authority is likely to be the authority in the country where the undertaking with overall control is established – this is likely to be the parent undertaking or 'central administration'.
Where groups of companies have more complex decision-making processes, with different establishments having independent decision-making powers, the lead authority will be the country where the exercise of management activities that determine the main decisions relating to personal data takes place.
For processors, the lead authority will be the regulator in the country in which the processor's central administration is located. If there is no central administration, it will be where the main processing activities of that processor take place. If a case involves both a controller and a processor, the lead authority competent to deal with that case will be the controller's lead authority. The processor's lead authority will be a 'concerned' authority.
Controller and processors are not allowed to 'forum shop' by claiming they have their main establishment in one Member State when in fact management activity is exercised in another Member State. Supervisory authorities can challenge an organisation's designation of a lead authority and ultimately the European Data Protection Board (EDPB) can decide objectively which authority is in fact the 'lead'.
Lead authorities must consult with 'concerned' supervisory authorities through the cooperation procedures set out in the GDPR. An authority will be 'concerned' if the controller or processor has an establishment in that Member State, if data subjects residing in that Member State will be substantially affected by processing, or if a complaint has been lodged with that Member State.
Concerned authorities will therefore have a say in how a matter is dealt with when either of these criteria apply. A lead authority may decide not to handle a case if it would be more appropriate for the concerned supervisory authority who informed the lead authority of the case to do so.
These guidelines are a useful starting point for organisations on some of the key elements of the GDPR that are entirely new territory.
Multinational organisations in particular will find the guidance on identifying a lead authority of interest and we recommend that those organisations start considering now which authority would be most appropriate for them to designate. All businesses that process personal data will benefit from the guidance on DPOs and data portability.
WP29 has invited comments on the adopted guidelines by the end of January 2017. If your organisation has any comments on the guidelines or any further points within those topics it would be useful to include in the guidelines, you can email the WP29 with comments at: JUST-ARTICLE29WP-SEC@ec.europa.eu and firstname.lastname@example.org.
These guidelines are the first in a series of GDPR guidance documents due to be issued by the WP29. Guidelines on Data Protection Impact Assessments and Certification are expected in 2017.
Contributor: Emma Fox
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.