Article 29 Working Party, a body created by said article of Directive 95/46EC, has issued three guides to help with the interpretation and application of the new aspects regulated by the General Data Protection Regulation at EU level. These guidelines address three main topics: data portability, data protection officers and the identification of a data controller’s or data processor’s lead authority.
On 16 December 2016, the Article 29 Working Party (WP29) published three guidelines and their annexes, through which the WP29 intends to help addressees interpret the EU General Data Protection Regulation (GDPR or the Regulation) after its entry into force. Thus, this is the first piece of guidance made public following the passing of the GDPR during the first half of 2016. These guidelines have already become necessary, taking into account both the complexity that ruled the legislative procedure which led to the final text of the regulation and the fact that the WP29 is the body through which the national authorities cast their opinion at European level.
The guidelines deal with a number of aspects which stand out among the most relevant ones in this first stage of preparation for the definitive application of the Regulation, which will take place from 25 May 2018 onwards. Companies and entities directly concerned by the Regulation must pay attention to these guides inasmuch as they include useful pieces of advice about the approach to be followed by national authorities in interpreting the GDPR in advance.
Data Protection Officer
The GDPR regulates the figure of the data protection officer for the first time, which had not previously been reflected in Spanish law. The core message conveyed by the WP29 is that affected entities appoint a data protection officer on a voluntary basis, even in those cases where it would not be compulsory pursuant to the GDPR. The appointment of a data protection officer will be mandatory for any public authority or body, for those entities whose core activities entail a “regular and systematic monitoring of data subjects on a large scale”, and for those entities whose core activities involve the processing of special categories of personal data on a large scale.
The WP29 tackles concepts such as “on a large scale”, “core activities” and “regular and systematic monitoring of data subjects”, actively describing the factors that should be taken into account and including some useful examples. Other concepts such as the use of a single data protection officer for several entities are also further elaborated.
Identifying the lead authority
To begin with, the WP29 analyses definitions such as “cross-border processing” as well as concepts not defined in the GDPR such as “substantially affected”, which come included in the “cross-border processing” definition. The WP29 also analyses the probability component (the substantial effect on data subjects must be at least probable/”likely”). Likewise, the WP29 provides a number of factors which should be closely analysed to ascertain whether a data subject can be considered as “substantially affected” by a data processing or not.
Furthermore, the WP29 goes on to analyse the identification of the lead authority in relation to data controllers. The existing wide range of possibilities is analysed: one authority for several cross-border processing activities by the main establishment, autonomous cross-border processing activities carried out by an establishment other than the main one, etc. The WP29 emphasises the development of the concept of lead authority in connection with particular processing activities (not the whole scheme of data flows of an entity) so a single controller should be dealing with a variable number of authorities.
A particular instance is scrutinised by the WP29: groups of companies that do not have their decision-making establishment within the EU. In cases like this one, the establishment within the EU responsible for implementing the main decisions should be chosen to identify the lead authority so that the group can benefit from the one-stop-shop principle (thereby avoiding the undesirable forum shopping ).
Finally, the WP29 interprets the way and the cases in which the data subjects may exercise their right to data portability. The right to data portability requires that three cumulative conditions are met: (i) automatic processing based on the consent or performance of a contract; (ii) data concerning the data subject and provided by him or her; and (iii) that the exercise of the right does not affect third parties’ rights.
This right shall not affect the obligations of data retention of the data controllers and shall be applicable to the data provided by the data subjects or derived from the mere observance of the data subjects’ behaviour. However, personal data generated from them by the data controller would fall outside the scope of the data portability right. Data controllers shall be able to refuse or charge a fee for the exercise in case of unfounded, excessive or repetitive requests by the same data subject. In this respect, data controllers may not consider the overall volume of requests or costs but only those related to the relevant data subject.
As a right newly regulated by the EU legislator, some considerations can be made:
- Difficulties can be anticipated in the interpretation of the boundaries between data provided by the data subject (or inferred from the data provided) and the data generated by the controller himself.
- In some cases, data covered by the right will be difficult to separate from third-party data, which can pose interpretative hindrances.
- The beforehand limitation of the right to data collected under prior consent or for the performance of a contract leaves aside other legal grounds for the processing regulated by the GDPR.
- Difficulties can be anticipated in the compatibility of this right with others. The WP29 makes it clear that a data subject can continue using the service offered by a controller after exercising their right to data portability.
- Personal data generated by profiling activities of the controller may not be captured by this right.
- In order to treat the data of third parties that are inseparable from the data of the person exercising their right, the data receiver must obtain their consent.
- The overall impact over other rights protecting the data subjects and third parties that this right may have (e.g. image rights) must be taken into account.