On 16 December 2016, the European Article 29 Working Party (WP29) released three sets of guidelines detailing their interpretation of key implementation issues relating to the EU General Data Protection Regulation (GDPR). The guidelines cover the right to data portability, data protection officers (DPOs) and identifying a lead supervisory authority. Guidance on the EU-US Privacy Shield was also included.
The guidance is extensive, and we will provide detailed commentary in our January blog posts.
Key points are:
- The right to data portability
The right to data portability allows individuals to obtain their personal data from organisations and to reuse it for their own purposes and across different services.
In the guidelines, the WP29 adopts a very broad interpretation of the scope of the right to data portability. The right applies not only to personal data actively and knowingly provided by the individual (e.g. through an online form), but also to personal data generated as a result of user activity, such as search history, traffic data, location data or raw data generated by a smart meter.
The WP29 also recommends that organisations put in place appropriate procedures enabling
individuals to make data portability requests and receive the data relating to them. Where a request for data portability is made, an organisation must provide the personal data to the individual “without undue delay” and “within one month of receipt of the request”. The data must be in a format that supports reuse, and include as much metadata as possible.
- Data protection officer (DPO)
The GDPR requires the designation of a DPO in three specific cases:
- Where the processing is carried out by a public authority or body.
- Where the core activities of the organisation or the data processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
- Where the core activities of the organisation or the data processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
In the guidelines, the WP29 provides more detail regarding the designation requirements and further defines what is meant by “core activities”, “large scale”, and “regular and systematic monitoring”.
In many cases organisations will not be required to appoint a DPO. Nevertheless, the WP29 recommends that, unless it is obvious that the mandatory designation requirement does not apply, organisations and data processors should document the internal analysis carried out to determine whether a DPO is required.
Also addressed are the required expertise of the DPO, the tasks a DPO is required to undertake, and issues relating to processors’ DPOs. The guidelines also state that the functions of a DPO can be outsourced to an individual or organisation on the basis of a service contract.
- Lead supervisory authority
The WP29’s guidelines clarify who is the lead supervisory authority where an organisation carries out cross-border processing of personal data (known as the one-stop shop principle), with examples and recommendations. Identifying the lead supervisory authority depends primarily on the country in which the main establishment of the organisation is based. Organisations without any establishment in the EU must deal with local supervisory authorities in every member state they are active in through their local representative.
For further information on the new Regulation and its application, the following GDPR publications are recommended reading:
The perfect introduction to the principles of data privacy and the GDPR, this concise guide is essential reading for anyone wanting an overview on the new compliance obligations for handling the personal data of EU residents. Buy now >>
This clear and comprehensive guide provides detailed commentary on the GDPR and practical implementation advice on the compliancy measures needed for your data protection and information security regimes. Buy now >>