During its April plenary meeting, the Article 29 Working Party (WP29) critically examined various matters concerning the implementation of the GDPR and of the Privacy Shield. Following this meeting, the WP29 adopted key documents including its final guidelines on data portability, data protection officers and lead authority. It also adopted its guidelines on data protection impact assessments, which is open for public consultation for six weeks before its final adoption. Below, we have summarized the key points of the three recently adopted final guidelines for you:

1. The right to data portability 

Article 20 of the GDRP creates a new right to data portability, which enables data subjects to receive their personal data, and to transmit those data from one data controller to another data controller. It follows from the guidelines that this right covers data that has been provided by the data subject knowingly and actively, and that it should concern data generated by their own activity. The data should be delivered to the data subject, or to the other data controller, in a structured, commonly used and machine-readable format.   The guidelines encourage data controllers to start developing the means to answer data portability requests, and recommends best practices and tools for this purpose.  

2. Data Protections Officers (DPOs)

Under article 37 of the GDPR, designating a DPO will be mandatory for all public authorities and bodies, as well as other organizations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. The guidelines are also relevant regarding DPOs under other directives, however our newsletter will focus on its relevance with regard to the GDPR.

Public authorities and bodies: The GDPR does not define what constitutes a public authority or body, and the WP29 considers that such a notion is to be determined under national law.

Core activity: The guidelines articulate such activities as the key operations necessary to achieve the controller’s or processor’s goals.

Large scale: The GDPR does not define what constitutes large-scale processing, and the WP29 shares the view that it is not possible to give a precise number. WP29 has however expressed its view that over time, a standard practice may develop for identifying in more quantitative terms what constitutes large scale. It has also expressed its plan to contribute to this envisaged development. Until then, it has pointed out that the number, volume, duration and geographical extent of the processing will be key factors in determining whether the processing is carried out on a large scale or not.

Regular and systematic monitoring: WP29 has interpreted regular as meaning 1) ongoing or occurring at particular intervals for a particular period, or 2) a recurring or repeated at fixed times, or 3) as constantly or periodically taking place. Systematic has been interpreted to mean 1) a part of a strategy, or 2) according to a system, or 3) as part of a general plan for data collection, or 4) pre-arranged, organized or methodical.

Special categories: Article 37(1)(c) addresses the processing of special categories of data i.e. personal data that reveals sensitive information as set out in article 9 which includes data such as racial or ethnic origin, political opinions or religious beliefs, and personal data relating to criminal convictions and offences as set out in article 10. The WP29 has noted that whilst the provision uses the word ‘and’, there is no policy reason for the two criteria to be applied simultaneously and that therefore, the text should be read as ‘or’.

The guidelines further elaborate on the required expertise and qualities of the DPO, and emphasizes that DPOs are not personally responsible in case of non-compliance with the GDPR; data protection compliance is a responsibility of the data controller or processor.  

3. A Controller or processor’s lead supervisory authority      Identifying a lead supervisory authority (LSA) is only relevant where a data controller or processor is carrying out cross-border processing’s of personal data. The LSA will be the authority with the primary responsibility over the cross-border data processing activity. For example, if a data subject makes a complaint about the processing of their personal data, the LSA will be responsible for addressing this complaint.

Identifying the LSA will depend on determining the location of the controller’s main establishment, and single establishment (article 56 GDPR). Article 4(16) of the GDPR further defines a ‘main establishment’, which includes the description of a central administration point.

According to article 4(23) of the GDPR, cross-border processing takes place when;  1) an organization has an establishment in more than one Member State and the processing of personal data takes place in the context of their activities; or  2) the carrying out of processing by an establishment in one Member State substantially affects data subjects in more than one Member State.

Substantially affects has not been defined in the GDPR, and supervisory authorities will interpret this term on a case by case basis. The WP29 has mentioned that it will look at the type of data, the purpose, and various factors such as the likelihood of the processing causing damage, discrimination, unfair treatment or other negative outcomes in order to establish substantial effect. 

The guidelines also include an annex to help organizations identify their lead supervisory authority.