A WP29 guide to the Privacy Regulation

During its last plenary session in December 2016, the Article 29 Working Party (“WP29”) adopted three guidelines pertaining to the implementation of the General Data Protection Regulation (the “Privacy Regulation”). The guidelines deal with, respectively, data portability (the transmittal of data between controllers), the data protection officer (“DPO”) and the lead supervisory authority. Until the end of January 2017, stakeholders were invited to send their (additional) comments to the WP29.

The role of the WP29

WP29 is an independent European institution active within the sphere of data protection and privacy. The working party consists of (representatives of) the twenty-eight national data protection authorities and is assisted by the European Data Protection Supervisor. WP29 often publishes opinions on various topics relating to data protection and privacy, by means of which it aims to facilitate a consistent interpretation and enforcement of various regulations within the European Union. WP29 also provides expert opinions to the European Commission. Some documents of the WP29 are open to public consultation, such as the guidelines discussed in this blog post. The guidelines offer an explanation to and elaboration on topics regulated in the Privacy Regulation. Ovidius discusses several interesting points from these guidelines.

Guidelines on the right to data portability

Data portability, or – more specifically – the right thereto, is a newly created right under the Privacy Regulation. Data subjects are entitled to receive the personal data from the controller (the person or legal entity responsible for the processing of data) in a structured, commonly used and machine-readable format, and to transmit their personal data to another controller if desired. The data has to be made available to the data subject in such a manner that such transmittal is actually possible. The guidelines on data portability further specifies this right of data portability:

  • • A data subject can only exercise this right if he has given his consent to the processing of his personal data, or if this is done on the basis of a contract. Data that is being processed under one of the identified exceptions (such as a substantial public interest) is not susceptible to such a request.
  • The data has to concern the data subject;
  • The data must have been provided by the data subject; in other words, it either has to have been given to the controller (for example: an e-mail address) or have been generated by the controller through observation of the behaviour of the data subject (for example: search history).

The guidelines also specify how such a request should be dealt with. A controller generally has to comply with such a request within one month (maximum three months in complex cases) and cannot charge the data subject for it. TheFAQ-sheet drafted by the WP29 provides a good overview of the guidelines data portability.

Guidelines on data protection officers

The Privacy Regulation imposes an obligation on certain types of organizations to appoint a DPO. This obligation applies to public institutions that process personal data, organizations for which the processing of personal data is a core activity, and organizations that, for example, monitor people on a large scale (such as surveillance companies). Organizations can also voluntarily opt to appoint a DPO. After appointment, however, such a ‘voluntary’ DPO is subject to the same rules as an ‘involuntary’ DPO. Even though the guidelines try to give an indication as to the ideal profile of a DPO, it does not offer more than some general points: the DPO has to have an in-depth knowledge of the Privacy Regulation, and be familiar with the organization he works in. WP29 also offers advice as to the role of the DPO within an organization. This role shows various parallels with that of a member of the Works Council:

  • The DPO must be involved in all issues pertaining to data protection, and should be offered the opportunity to give its opinion on decisions that touch upon data protection;
  • The DPO has to be provided with sufficient funds, time and manpower to carry out its tasks;
  • The DPO has to be protected against repercussions (sanctions, dismissal) caused by the performance of its duties; just as a member of the Works Council is entitled to a certain level of protection.

The guidelines also list the most important duties of the DPO:

  • monitoring compliance with the Privacy Regulation;
  • providing assistance in carrying out privacy impact assessments;
  • prioritising risks, as the DPO should focus his attention on issues that contain a higher risk;
  • involvement with the registration duty of organisations.

WP29 emphasizes that the DPO is not responsible for carrying out these duties: it remains the responsibility of the controller and/or the processor to comply with the requirements of the Privacy Directive. The DPO merely has a supporting, facilitating role. The FAQ-sheet drafted by the WP29 provides a good overview of the guidelines on the DPO.

Guidelines on identifying the lead supervisory authority

If the processing of personal data crosses national borders, it is possible that several national data protection authorities are – in principle – competent to enforce compliance with national law. For that reason, the Privacy Regulation points towards a ‘lead supervisory authority’, the authority primarily responsible for the processing of personal data. Said lead supervisory authority is also the main authority involved in any investigation into the processing of personal data or in case of a complaint by a data subject. The lead supervisory authority is the authority that has to be notified in case of a data breach, where a risky processing activity has to be notified, or where the DPO has to be registered. For organizations it is, therefore, important to know which supervisory authority they have to deal with in respect of their compliance duties under the Privacy Regulation. To determine which authority takes the lead, the Privacy Regulation takes the concept of ‘main establishment’ as its main criterion. The assessment is carried out differently depending on the situation at hand:

  • Only the controller is involved: the Member State where the main establishment is located, determines the lead supervisory authority; unless the relevant decisions on the purposes and means of the processing are taken by an establishment in a different member state.
  • Both the controller and the processor are involved: first, it has to be verified whether the controller is established in the European Union and is subject to the one stop shop system (the principle that an organisation is primarily subjected to the supervision of the data authority of the member state where its central establishment is located). The lead supervisory authority of the controller is also that of the processor; the data authority competent with regards to the processor is qualified as ‘concerned’.
  • Only the processor is involved: the Member State where the main establishment is located, is the lead supervisory authority. If such a main establishment is located outside of the EU, the location where the processing of data takes place, determines the lead supervisory authority.

The FAQ-sheet drafted by the WP29 provides a good overview of the guidelines lead supervisory authority.

Expected guidelines

WP29 is expected to publish additional guidelines – on privacy impact assessments and certification – later this year. Ovidius will keep you updated on its web page Data Protection Update.



Follow our team and the latest news

This error message is only visible to WordPress admins

Error: No feed found.

Please go to the Instagram Feed settings page to create a feed.