Teal blue graphic

WP29 guidance issued on key aspects of the EU General Data Protection Regulation

On 13 December 2016, the Article 29 Data Protection Working Party (WP29) adopted a series of guidelines and frequently asked questions on the following aspects of the General Data Protection Regulation (GDPR):

  • The right to data portability;
  • Appointing data protection officers; and
  • Identifying a controller or processor's lead supervisory authority.

The right to data portability  

The guidelines explain that the new right to data portability created under Article 20 of the GDPR is made up of the following elements:

  • A right to receive personal data processed by a data controller, in a structured, commonly used and machine-readable format;
  • A right to transmit personal data from one data controller to another data controller 'without hindrance'. This facilitates the ability of data subjects to move, copy and transmit personal data easily;
  • Data portability tools: on a technical level, data controllers should offer a direct download opportunity for the data subject. They should also allow data subjects to directly transmit the data to another data controller. This could be implemented, for example, by making an application programming interface (API) available; and 
  • Controllership: data controllers receiving personal data following a data portability request will become a new data controller and must inform the data subject of the purpose of the new processing. They are also responsible for ensuring that the data transferred is relevant and not excessive with regard to the new processing.

It is worth noting that the GDPR only establishes a right to data portability where data processing is 'carried out by automated means' (thereby excluding paper files). The right to data portability also applies where the processing is carried out either with the data subject's consent or pursuant to a contract. The personal data requested should 'concern the data subject and be provided by him.

In both the guidelines and the FAQs, WP29 is keen to emphasise that it considers the right should cover not only data provided knowingly and actively by the data subject but also personal data generated by his or her activity. This would include personal data generated by the individual's use of a service, for example internet search history or raw data collected by fitness trackers. However, it would not include data created by the data controller, such as a user profile created by analysing raw data from smart meters. WP29 also recommends that data controllers should clearly inform data subjects which types of data are subject to the right of data portability.

The guidelines set out best practice tips on authentication of a data subject, the expected format for the provision of data, how to deal with large or complex personal data collection and security issues on transmission. 

WP29 'strongly encourages' industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.    

Data Protection Officers  

The guidelines explain that the appointment of a Data Protection Officer (DPO) is a key part of the compliance framework for organisations that are required under the GDPR to appoint one. The WP29 also encourages the designation of a DPO on a voluntary basis even where organisations are not required to appoint one. 

The GDPR requires data controllers and data processors to appoint a DPO where: 

  • the processing is carried out by a public authority or body;
  • the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or processor consist of processing on a large scale of sensitive personal data or data relating to criminal convictions or offences.

The guidelines and FAQs contain direction on the following key points: 

  • How to establish whether an organisation is required to appoint a DPO: This includes guidance on the interpretation of 'core activities' and 'large scale'. Core activities must relate to the controller's primary activities rather than ancillary activities. However, the guidelines specify that core activities can include activities where the processing of data is inextricably linked to the controller's or processor's activities. For example, the core activity of a hospital is to provide healthcare, but a hospital would not be able to do this without collecting large amounts of personal data; therefore the processing of personal data would be a core activity. There is less precise guidance around what constitutes 'large scale', but the WP29 considers that this should involve contemplating the number of individuals affected, the volume of data involved, the duration of the processing and the geographical extent of the processing. The WP29 also makes the point that controllers and their processors should evaluate separately whether they meet the test; just because a controller is required to appoint a DPO does not necessarily mean that its processors will have to, and vice versa. 
  • Groups of organisations designating a single DPO: The DPO must be easily accessible from each establishment and able to communicate effectively with data subjects and all relevant supervisory authorities. 
  • The appropriate level of expertise and qualifications required of the DPO: These must be considered taking into account the sensitivity, complexity and amount of data the organisation processes. 
  • External DPOs: A controller or processor can appoint an external DPO provided there is no conflict of interest. Internal DPOs can only carry out other tasks if there is no conflict of interest. 
  • Involvement of DPOs in issues relating to the processing of personal data: WP29 recommends that this should involve the DPO participating in regular management meetings, being present when key decisions are made, being consulted in respect of data breaches and making sure the DPO's opinion is giving due weight. 
  • Resourcing: DPOs must be provided with the resources necessary to carry out their tasks. DPOs must be provided with active senior support, sufficient time and financial resources to perform, necessary access to other services and continuous training. 
  • Independence: DPOs must act in an independent manner. The WP29 interprets this to mean that DPOs must not be instructed how to deal with a particular matter. 
  • Protections: DPOs must not be dismissed or penalised (e.g. by being denied promotion or benefits) for performing their tasks as a DPO. External DPOs will be afforded the same protections.

Identifying a lead supervisory authority

Where a controller or processor carries out cross-border processing of personal data within the EU, that controller or processor will need to designate a 'lead supervisory authority'. 

The lead supervisory authority will have primary responsibility for dealing with cross-border processing activities and will coordinate investigations into breaches by the controller or processor. 'Cross-border' activities can include processing in the context of activities of a controller or processor established in several Member States, as well as processing by a controller or processor established in one Member State where the processing substantially affects data subjects in more than one Member State. 

The guidelines and FAQs are intended to provide guidance to controllers and processors to assist them with establishing which data protection regulator will act as their lead supervisory authority. 

Controllers

For data controllers, the lead authority will be the authority in the country in which the decisions about the purposes and means of processing of personal data are taken. Sometimes it may be possible to have more than one lead authority for a particular controller. For example, if a controller has a particular department established in a different Member State from its normal headquarters, there may be different lead authorities for different types of cross-border processing activities.

The guidelines emphasise the importance of identifying precisely where decisions on purposes and means of processing are made in relation to the processing activities carried out by the controller. 

Groups of undertakings

In relation to groups of undertakings, the lead authority is likely to be the authority in the country where the undertaking with overall control is established – this is likely to be the parent undertaking or 'central administration'. 

Where groups of companies have more complex decision-making processes, with different establishments having independent decision-making powers, the lead authority will be the country where the exercise of management activities that determine the main decisions relating to personal data takes place.

Processors

For processors, the lead authority will be the regulator in the country in which the processor's central administration is located. If there is no central administration, it will be where the main processing activities of that processor take place. If a case involves both a controller and a processor, the lead authority competent to deal with that case will be the controller's lead authority. The processor's lead authority will be a 'concerned' authority. 

Challenges by supervisory authorities

Controller and processors are not allowed to 'forum shop' by claiming they have their main establishment in one Member State when in fact management activity is exercised in another Member State. Supervisory authorities can challenge an organisation's designation of a lead authority and ultimately the European Data Protection Board (EDPB) can decide objectively which authority is in fact the 'lead'. 

Concerned authorities

Lead authorities must consult with 'concerned' supervisory authorities through the cooperation procedures set out in the GDPR. An authority will be 'concerned' if the controller or processor has an establishment in that Member State, if data subjects residing in that Member State will be substantially affected by processing, or if a complaint has been lodged with that Member State. 

Concerned authorities will therefore have a say in how a matter is dealt with when either of these criteria apply. A lead authority may decide not to handle a case if it would be more appropriate for the concerned supervisory authority who informed the lead authority of the case to do so. 

Next steps

These guidelines are a useful starting point for organisations on some of the key elements of the GDPR that are entirely new territory. 

Multinational organisations in particular will find the guidance on identifying a lead authority of interest and we recommend that those organisations start considering now which authority would be most appropriate for them to designate. All businesses that process personal data will benefit from the guidance on DPOs and data portability. 

WP29 has invited comments on the adopted guidelines by the end of January 2017. If your organisation has any comments on the guidelines or any further points within those topics it would be useful to include in the guidelines, you can email the WP29 with comments at: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr. 

These guidelines are the first in a series of GDPR guidance documents due to be issued by the WP29. Guidelines on Data Protection Impact Assessments and Certification are expected in 2017.

Contributor: Emma Fox

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all