No one could accuse the EU Article 29 Working Party (WP29) of not delivering as promised. Following its recently held December plenary meeting, the WP29 has released three separate guidelines with their interpretation of some key aspects of the General Data Protection Regulation, namely:
- data portability,
- data protection officers (DPOs), and
- lead supervisory authorities.
At the same time, the WP29 has confirmed its role as the “EU centralised body” for handling individual complaints under the Privacy Shield and the re-establishment of its enforcement subgroup in charge of coordinating cross-border enforcement actions.
Here are the highlights of the three guidelines:
- It is said at the outset that the aim of this new right is to empower data subjects regarding their own personal data. At the same time, this right aims to foster innovation in data uses and to promote new business models linked to more data sharing under the data subjects’ control.
- The right applies not only to personal data actively and knowingly provided by the data subject but also to pseudonymised data that can be clearly linked to a data subject and to personal data generated as a result of user’s activities (such as search history, traffic data, location data or raw data generated by a smart meter or fitness tracker).
- When responding to data portability requests, data controllers should provide as much metadata as possible alongside the data itself, at the highest possible level of granularity, to preserve the precise meaning of exchanged information.
- To this end, the WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on developing a common set of interoperable standards and formats.
- The guidance provides specific examples to illustrate circumstances in which a controller or processor must appoint a DPO, such as in relation to what would be considered to be “large scale” processing and “regular and systematic monitoring”.
- It is stressed that the personal availability of a DPO is essential, and that the DPO’s primary concern should be enabling compliance with the GDPR.
- The guidance also clarifies that DPOs are not personally responsible in case of non-compliance with the GDPR.
- The WP29 also states that the functions of a DPO can be carried out by an individual or organisation outside the controller or processor’s organisation on the basis of a service contract.
- The guidance clarifies how a controller or processor carrying out cross-border processing should determine its main establishment for the purposes of choosing the lead supervisory authority with examples and practical recommendations.
- The WP29 says that there may be cases where more than one lead supervisory authority can be appointed, for instance where different establishments are in charge of certain types of processing within a single group of undertakings.
- In borderline cases where it is difficult to identify the main establishment or determine where decisions about data processing are taken, the guidance recommends the pragmatic solution of designating an establishment which will act as the main establishment in the EU.
- Crucially, the WP29 points out that supervisory authorities will remain able to investigate suspected instances of “forum shopping”.
With less than a year and a half for the GDPR to become fully applicable, the WP29’s guidance provides some helpful steering but also gives a clear indication of the regulators’ expectations regarding compliance with the new law.
Elizabeth Campion, a paralegal in our London office, contributed to this post.