Just before the festive break, the Article 29 Working Party (“WP29“), the group representing national data protection regulators in the EU, issued new guidance on several key aspects of the new General Data Protection Regulation (“GDPR“). This is the first guidance of its kind issued by the WP29, and as such represents the first time the data protection authorities have revealed their thoughts on the interpretation of the GDPR.
The guidance consists of three separate sets of guidelines and FAQs:
- an explanation of the role of the now mandatory Data Protection Officer (“DPO“);
- a guide to the new right to data portability; and
- guidance regarding the “one stop shop” mechanism for establishing the lead data protection authority in cases of cross-border data processing.
Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until the end of January 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of key aspects of the new regime.
Data protection officers: thresholds, roles and responsibilities
The requirement for certain organisations to appoint a DPO is one of the more fundamental changes – and costs – introduced by the GDPR. Although the threshold for a mandatory DPO has ended up being higher than that proposed in the original draft of the GDPR, this will nevertheless impact a huge number of data controllers and data processors, and therefore the WP29’s interpretation of the threshold is critical to organisations considering whether or not they need to start budgeting and recruiting for a DPO or an external service.
The 18 page DPO guidance provides specific examples of the circumstances in which the GDPR’s requirement to appoint a DPO will apply. In circumstances where the GDPR does not specifically require the appointment of a DPO, the WP29 encourages organisations to designate a DPO on a voluntary basis instead.
Article 37(1) of the GDPR requires the designation of a DPO by all public bodies and for private organisations where the “core activities” of the controller or the processor consist of processing operations that require “regular and systematic monitoring” of data subjects on a “large scale”. It’s clear from the new guidance that these terms are to be interpreted widely.
The WP29 describes “core activities” as those “necessary to achieve the controller’s or processor’s goals”. It gives the example of a hospital processing a patient’s health records as necessary to achieving the goal of providing health care. On the other hand, payroll functions or IT support do not count as “core activities”.
The guidance identifies the following factors to be considered when determining whether processing is being carried out on a “large scale”:
- The number of data subjects concerned, either as a specific number or as a proportion of the relevant population.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
It’s clear, therefore, that small organisations could still fall within the DPO requirement if their customer base is relatively large.
The guidance notes that “regular and systematic monitoring” includes all forms of tracking and profiling on the internet. However, the WP29 is of the view that the notion of monitoring is not restricted to the online environment, and interprets “regular” as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period.
- Recurring or repeated at fixed times.
- Constantly or periodically taking place.
It interprets “systematic” as meaning one or more of the following:
- Occurring according to a system.
- Pre-arranged, organised or methodical.
- Taking place as part of a general plan for data collection.
- Carried out as part of a strategy.
The examples provided include the provision of telecommunications services, email targeting and closed circuit television.
The guidance also deals with issues relating to the position of the DPO within an organisation (including resourcing, independence and conflicts of interest) and the DPO’s tasks including their responsibilities in relation to Privacy Impact assessments and record keeping. Key points from the guidance are summarised in these FAQs.
Right to data portability
Data portability is a brand new right under the GDPR and compliance will require organisations to make operational changes to their systems and databases in order to comply, so again, this guidance is key in helping organisations to gear up for the GDPR.
The WP29 adopts a broad interpretation of the right to data portability, concluding that it does not only apply to data provided both knowingly and unknowingly by the subject, but also to data “provided” by the data subject by virtue of the use of a device or a service (e.g. search history and location data).
The right to data portability will be triggered where processing is based on either the subject’s consent or a contract with the subject. It does not apply in the case of processing for “legitimate interests”. The personal data must concern the data subject; therefore anonymous data will be out of scope whilst pseudonymous data will fall within scope if it can be clearly linked to a data subject.
The WP29 recommends that data controllers should start developing systems and tools to answer data portability requests. They also recommend that industry stakeholders and trade associations work together to produce a set of interoperable standards and formats.
Cross border processing: who is the lead supervisory authority?
In its third set of published guidance, the WP29 has provided guidelines for identifying a controller or processor’s lead supervisory authority, known as the “one stop shop” principle. This is relevant where a controller or processor is carrying out the cross-border processing of personal data and is a critical practical issue for multinational organisations as it will determine which national regulator takes the lead in any enforcement action with a cross border dimension.
The guidelines explore the meaning of the GDPR’s “substantially affects” test for cross border processing and the meaning of “main establishment”. They put forward a number of examples to illustrate how a lead supervisory authority should be chosen, placing an emphasis on transparency and communication with the relevant authorities. In a case where a controller is established in one Member State and the processor in another, the lead authority will be that of the controller’s Member State.
The guidelines also state that where a company does not have an establishment in the EU, it cannot benefit from the one stop shop principle and it must instead deal with supervisory authorities in every EU Member State in which it is active. Furthermore, “forum shopping” will not be permitted under the GDPR.
Interested parties who have comments on the guidance documents have until the end of January to make their views known to the WP29. In the coming weeks, the WP29 plans to publish further guidance on Data Protection Impact Assessments and Certification. Datonomy will continue to bring you updates on all GDPR guidance as and when it is released.