Article 29 Working Party issues guidance on key aspects of EU General Data Protection Regulation
Published on 20th Dec 2016
Following its December 2016 meeting, the Article 29 Working Party (WP29) has published guidelines together with FAQs on three key areas of the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018. These include:
- The right to data portability;
- Data Protection Officers (DPO); and
- Lead Supervisory Authority.
The WP29 has invited comments from stakeholders before the end of January 2017.
In 2017, the WP29 will issue guidelines on Data Protection Impact Assessments and Certification.
Flemming Moos, Partner in Osborne Clarke’s Hamburg office, commented “the guidelines come at an important time as companies try to interpret and put in place measures to comply with the GDPR, and so further detail on what the regulators are expecting is welcomed“.
The right to data portability
The right to data portability is a new right, which the WP29 emphasises is intended to give data subjects more control over their personal data, especially to reuse and manage it, or to switch between service providers. Under the GDPR, data subjects:
“…have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided…”
A number of key areas are clarified by the guidelines, including: when does the right apply and to what data; what practical measures can be used to comply with the right; and how does it relate to other data subject rights.
When does the right to data portability apply and to what data?
According to the guidelines “the GDPR does not establish a general right of data portability“. The right to data portability only applies to information being processed with the data subject’s consent or pursuant to a contract. This means that personal data which is processed under one of the other permitted conditions of processing – for example, because it is necessary for the data controller’s legitimate interests – would not be covered.
Only personal data which concerns the data subject would be in scope; this would include pseudonymous data that can be clearly linked to a data subject. The WP29 recognises that information could also include personal data relating to several other data subjects, and warns against taking an overly restrictive interpretation which excludes the provision of any information containing third party data whatsoever.
The WP29 makes a distinction between personal data generated by and collected from the activities of users, which would be covered by the data portability right, versus data which is inferred or derived by the data controller, which would not be in scope. So, for example, data exclusively generated by the data controller, such as a user profile or algorithmic results created by analysing raw data collected, may not be covered. The rights of data controllers and other parties in trade secrets and other intellectual property in the information covered by the right to data portability must also be considered but according to the WP29 “cannot, however, in and of itself serve as the basis for a refusal to answer the portability request“.
Practical measures to comply with the right to data portability
The guidelines envisage that data controllers will need to implement different technical tools to facilitate this right. These include a process for acknowledging receipt of requests, ascertaining the identity of the data subject and responding to the requests without undue delay – something which WP29 anticipates should be technically possible for controllers operating information society services to do in a very short-time period.
Technical measures for providing the information include allowing data subjects to download their personal data directly from the controller’s website or directly transmit the data to another data controller, for example, by making an API available. The format must support re-use and ensure the data will be interpretable. The guidelines also anticipate that a trusted third party could be used as a store for personal data to which the data subject then grants access.
How does the right to data portability relate to other data subject rights?
The guidelines confirm that the right to data portability does not affect a data subject’s ability to exercise his/her other rights. For example, it does not automatically trigger the deletion of data from a controller’s systems and it should not stop a data subject from continuing to use and benefit form services provided by the data controller.
Data Protection Officers
The WP29 describe DPOs as being “at the heart” of the GDPR for many organisations, facilitating compliance with the requirements of the GDPR.
The concept of the DPO is not new. Some Member States’ national laws (for example, in Germany) already require the designation of a DPO in certain circumstances. However, for organisations which have not previously been subject to such a requirement, DPOs have been (one of) the big talking points arising from the GDPR. The WP29’s guidelines help to answer some of those questions which have been asked in recent months as companies prepare.
When does the GDPR require the designation of a DPO?
A DPO is required by controllers and processors in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences.
The guidelines clarify the criteria and terminology used in the GDPR:
‘Core activities’ are described as the key operations necessary to achieve the controller’s or processor’s goals (including activities which are an inextricable part of the controller’s or processor’s activities). Necessary support functions (such as paying employees or standard IT support) are usually considered ancillary functions rather than the core activity.
Whether a processing activity is carried out on a ‘large scale’ will depend on a number of factors; including the number of data subjects concerned, the volume of data and/or the range of data items being processed, the duration or permanence of the processing, and the geographical extent of the processing. The WP29 sets out a number of examples of large scale processing, and also confirms its plans to share and publicise examples of the relevant thresholds for the designation of a DPO.
‘Regular and system monitoring’ is not confined to the online environment and online tracking, the A29 confirms. Other examples include: the operation of a telecommunications network; profiling and scoring for the purposes of risk assessment; location tracking; fitness and health data via wearable devices; and connected devices.
Unless it is obvious that an organisation does not require a DPO, the organisation should document the internal analysis carried out to determine whether one is required. Where a DPO is not mandatory, organisations may decide to designate a DPO on a voluntary basis. However, should they do so, the same requirements under Articles 37 to 39 of the GDPR will apply to his or her designation, position and tasks as if the designation had been mandatory. The voluntary appointment of a DPO should not be confused with staff or outside consultants who have tasks relating to the protection of personal data (but who are clearly not given the title or role of DPO).
What is required of a DPO?
A DPO must be “easily accessible from each establishment”. That means that a group of undertakings can appoint a single DPO, as long as he or she is personally available to efficiently communicate with data subjects, supervisory authorities and internally within the organisation (including in the language or languages of the supervisory authorities or data subjects concerned). A single DPO must be able to perform their tasks efficiently despite being responsible for several undertakings.
A DPO must have the necessary skills and expertise, which should be determined according to the data processing activities carried out and the protection required for the personal data being processed. An in-depth understanding of the GDPR is essential, and knowledge of the business sector and of the organisation is useful.
A DPO can be appointed on a part-time basis, alongside other duties; provided that those other duties do not give rise to conflicts of interest, and as long as the DPO is given sufficient time to fulfil their duties as a DPO.
An external DPO, or DPO team may be appointed, provided that the DPO must be able to fulfil its / their tasks, they must be independent and they must be afforded sufficient protection (for example, from unfair termination of a service contract).
What is the role of a DPO?
The DPO must be involved, from the earliest stage possible, in all issues relating to the protection of personal data. Appropriately informing the DPO should be a standard procedure within the organisation’s governance. That means that they should be: invited to participate regularly in meetings of senior and middle management; present where decisions with data protection implications are taken; and promptly consulted once a data breach or other incident has occurred. According to the WP29, the DPO will “play a key role in fostering a data protection culture within the organisation”.
Lead Supervisory Authority
During the negotiation of the GDPR, the ‘one-stop-shop mechanism’ was coveted as the solution to problems faced by multi-national organisations under the current regime, which are supervised by a number of different regulators, all taking a slightly different approach to enforcement. Much has been made of how that ‘one-stop-shop mechanism’ was watered down during the negotiations, so that in the final draft any regulator (or ‘supervisory authority’) will be able to deal with complaints lodged by data subjects where the complaint, in effect, relates only to their country.
Nonetheless, the ‘one-stop-shop mechanism’ (or ‘consistency mechanism’) is still available where a controller or processor is carrying out the ‘cross-border processing’ of personal data. That means, where an organisation:
- has establishments in two or more EU Member States and the processing of personal data takes place in the context of their activities in those establishments; or
- only carries out processing activities in the context of its establishment in one EU Member State, but the activity substantially affects, or is likely to substantially affect data subjects in more than one EU Member State.
If that mechanism is available, the lead supervisory authority will closely involve and co-ordinate other ‘concerned’ authorities in its enforcement of the GDPR. In theory, this should help alleviate the problems arising under the current regime. The guidelines add some further clarity and detail to the circumstances in which the ‘one stop shop’ mechanism will be available.
Determining which supervisory authority is the lead supervisory authority – for controllers
Identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’.
The general principle is that the central administration in the EU will be the main establishment, unless another establishment (or other establishments) take(s) the decisions about the purposes and means of the processing, and have the power to have such decisions implemented.
The WP29 recognise that “there may be cases where an establishment other than the place of central administration makes autonomous decisions concerning the purposes and means of a specific processing activity”. In those cases, more than one lead supervisory authority can be identified. The guidelines suggest that organisations that have a more centralised decision-making headquarters and branch-type structure are more likely to have a single lead supervisory authority, than organisations with a more complex decision-making system across the group.
The controller itself should identify its lead supervisory authority (after assessing where decisions on purpose and means of processing are taken); though that decision can subsequently be challenged by supervisory authorities.
Helpfully, the WP29 identifies that there may be so-called ‘borderline cases’, where it is difficult to identify the main establishment or to determine where decisions about data processing are taken. One example given by the guidelines is where there is cross-border activity, but there is no central administration in the EU and none of the EU establishments are taking decisions about the processing. In those circumstances, says the WP29, the GDPR does not provide a solution. Unless the organisation designates an establishment in the EU that will act as its main establishment (and which has the authority to implement decisions about processing activities and to take liability for the processing), it will not be possible to designate a lead supervisory authority (or consequently, to benefit from the ‘one-stop-shop mechanism’).
Mark Taylor, Partner in Osborne Clarke’s London office commented “this example from the WP29 of a borderline case will resonate with a number of multi-national companies who are headquartered in the UK and are still grappling with the implications of Brexit on the implementation of the GDPR. There are a significant number of UK-headquartered companies with other EU establishments, none of which take decisions about data processing. Depending on what Brexit ultimately looks like, those companies may not be able to take advantage of the ‘one-stop-shop mechanism’.”
Determining which supervisory authority is the lead supervisory authority – for processors
Processors with establishments in more than one EU Member State can also benefit from the ‘one-stop-shop mechanism’. The processor’s main establishment will be the place of the central administration of the processor in the EU or, if there is no central administration in the EU, the establishment in the EU where the main processing takes place.
In cases involving both controller and processor, the guidelines confirm that the competent lead supervisory authority should be the lead supervisory authority for the controller.
What if your organisation does not have an establishment in the EU
Emily Jones, Partner and head of Osborne Clarke’s Silicon Valley Office “it is particularly useful for US companies to know more about how to identify their lead supervisory authority since many companies operate across almost all EU Member States. The guidelines also confirm that the “one-stop-shop” mechanism will not apply to data controllers without any establishment in the EU, companies falling into this category will only have to appoint one local representative in the EU to deal with local supervisory authorities in every Member State where they are active.”
These guidelines from the WP29 are immensely helpful in the run up to 25 May 2018. We will continue to review and summarise the practical implications of further guidance as and when it becomes available.
If you would like to discuss how the GDPR impacts on your organisation in more detail – for example, to plan your roadmap to compliance (to the extent that you have not already done so), to consider what you should be doing now, and to identify the key areas of risk – please do not hesitate to get in touch with one of our data protection team.