During its last plenary session in December 2016, the Article 29 Working Party (“WP29”) adopted three guidelines pertaining to the implementation of the General Data Protection Regulation (the “Privacy Regulation”). The guidelines deal with, respectively, data portability (the transmittal of data between controllers), the data protection officer (“
DPO”) and the lead supervisory authority. Until the end of January 2017, stakeholders were invited to send their (additional) comments to the WP29.
The role of the WP29
WP29 is an independent European institution active within the sphere of data protection and privacy. The working party consists of (representatives of) the twenty-eight national data protection authorities and is assisted by the European Data Protection Supervisor. WP29 often publishes opinions on various topics relating to data protection and privacy, by means of which it aims to facilitate a consistent interpretation and enforcement of various regulations within the European Union. WP29 also provides expert opinions to the European Commission. Some documents of the WP29 are open to public consultation, such as the guidelines discussed in this blog post. The guidelines offer an explanation to and elaboration on topics regulated in the Privacy Regulation. Ovidius discusses several interesting points from these guidelines.
Guidelines on the right to data portability
Data portability, or – more specifically – the right thereto, is a newly created right under the Privacy Regulation. Data subjects are entitled to receive the personal data from the controller (the person or legal entity responsible for the processing of data) in a structured, commonly used and machine-readable format, and to transmit their personal data to another controller if desired. The data has to be made available to the data subject in such a manner that such transmittal is actually possible. The
- • A data subject can only exercise this right if he has given his consent to the processing of his personal data, or if this is done on the basis of a contract. Data that is being processed under one of the identified exceptions (such as a substantial public interest) is not susceptible to such a request.
- The data has to concern the data subject;
- The data must have been provided by the data subject; in other words, it either has to have been given to the controller (for example: an e-mail address) or have been generated by the controller through observation of the behaviour of the data subject (for example: search history).
The guidelines also specify how such a request should be dealt with. A controller generally has to comply with such a request within one month (maximum three months in complex cases) and cannot charge the data subject for it. The
Guidelines on data protection officers
The Privacy Regulation imposes an obligation on certain types of organizations to appoint a DPO. This obligation applies to public institutions that process personal data, organizations for which the processing of personal data is a core activity, and organizations that, for example, monitor people on a large scale (such as surveillance companies). Organizations can also voluntarily opt to appoint a DPO. After appointment, however, such a ‘voluntary’ DPO is subject to the same rules as an ‘involuntary’ DPO. Even though the
- The DPO must be involved in all issues pertaining to data protection, and should be offered the opportunity to give its opinion on decisions that touch upon data protection;
- The DPO has to be provided with sufficient funds, time and manpower to carry out its tasks;
- The DPO has to be protected against repercussions (sanctions, dismissal) caused by the performance of its duties; just as a member of the Works Council is entitled to a certain level of protection.
The guidelines also list the most important duties of the DPO:
- monitoring compliance with the Privacy Regulation;
- providing assistance in carrying out privacy impact assessments;
- prioritising risks, as the DPO should focus his attention on issues that contain a higher risk;
- involvement with the registration duty of organisations.
WP29 emphasizes that the DPO is not responsible for carrying out these duties: it remains the responsibility of the controller and/or the processor to comply with the requirements of the Privacy Directive. The DPO merely has a supporting, facilitating role. The
Guidelines on identifying the lead supervisory authority
If the processing of personal data crosses national borders, it is possible that several national data protection authorities are – in principle – competent to enforce compliance with national law. For that reason, the Privacy Regulation points towards a
- Only the controller is involved: the Member State where the main establishment is located, determines the lead supervisory authority; unless the relevant decisions on the purposes and means of the processing are taken by an establishment in a different member state.
- Both the controller and the processor are involved: first, it has to be verified whether the controller is established in the European Union and is subject to the one stop shop system (the principle that an organisation is primarily subjected to the supervision of the data authority of the member state where its central establishment is located). The lead supervisory authority of the controller is also that of the processor; the data authority competent with regards to the processor is qualified as ‘
- Only the processor is involved: the Member State where the main establishment is located, is the lead supervisory authority. If such a main establishment is located outside of the EU, the location where the processing of data takes place, determines the lead supervisory authority.
WP29 is expected to publish additional guidelines – on privacy impact assessments and certification – later this year. Ovidius will keep you updated on its web page