Data Protection Report - Norton Rose Fulbright

On 15 December 2016, the Article 29 Working Party (WP29) issued guidelines and FAQs on the provisions in the General Data Protection Regulation (the GDPR) relating to data portability (Guidelines / FAQs), data protection officers (Guidelines / FAQs), and the lead supervisory authority (Guidelines / FAQs). WP29 will accept comments on these guidelines until the end of January 2017.

GDPR Implementation Guidance

Some key points are:

  • Data protection officers (DPOs) must be able to speak the language of the country where the relevant controller or processor is based, so that they can communicate efficiently with data subjects and supervisory authorities. This may impact how many large organisations structure their privacy team, making it more difficult to appoint a centralised DPO for a group of companies.
  • The GDPR allows DPOs to fulfill tasks and duties outside the scope of data protection, but such tasks and duties must not “result in a conflict of interest”. WP29’s guidance now expressly states that senior management positions (such as CEOs, COOs, CFOs, head of marketing, head of HR or head of IT), as well as other roles that involve the determination of purposes and means of processing, will, as a rule of thumb, be positions that conflict with the role of the DPO.
  • Data portability rights (i.e. the right that allows data subjects to receive their personal data in a structured and machine-readable format and to transmit them to another data controller) apply to the raw data generated by the use of a service or device, such as search history, Internet traffic data, location data, or attributes tracked by a fitness or health tracker. Given the amount of data collected from these sorts of devices, applying the data portability requirements to this type of data is likely to be very challenging.
  • The “one-stop-shop” principle applies only to cross-border processing. In other words, where the processing is in the context of activities of a controller or processor across different Member States or where the processing of a single establishment substantially affects data subjects in more than one Member State, the general rule is that the supervision of such cross-border processing activity is led by only one supervisory authority called the lead supervisory authority. However, if a controller just processes data about residents of a Member State in that Member State (i.e., the processing is not cross-border processing), the controller will need to deal separately with the supervisory authorities in every Member State in which it is active.
  • The fact that a company’s decisions regarding certain cross-border processing activities may be made in different locations may create different “main establishments” for those processing activities, thereby subjecting the company to the jurisdiction of different lead authorities for different processing activities. Designating a main establishment will not always be straightforward.

In addition, in a press release announcing the Guidelines and FAQs, the WP29 also discussed its 2017 Action Plan, which will establish the priority issues to be addressed by the WP29. Guidelines on Data Protection Impact Assessments and Certification will be issued in 2017. WP29 will also host a workshop in April 2017, at which interested stakeholders will be invited to present their views and comments on various topics.

Our Take

As 25 May 2018 (the date that GDPR compliance becomes mandatory) is fast approaching, guidance about how to interpret the GDPR is welcome. At the same time, some companies may not like the contents of the guidance and may hope that WP29 will soften its approach. Companies affected by WP29’s Guidelines and FAQs may wish to submit feedback to WP29 before the end of January.

We will continue to monitor this and the publication of any new guidance in the New Year.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.