The Article 29 Working Party (A29WP), the collective body representing data protection regulators across the EU, has issued its first guidance on parts of the General Data Protection Regulation (GDPR). The guidance is however only preliminary, and comments are invited from interested parties by the end of January 2017. Throughout its guidance, the A29WP recognises that GDPR is unclear in many respects. The lack of final comprehensive guidance on GDPR is therefore becoming an increasing concern as organisations seek to prepare by May 2018 for these major changes on what is becoming a tight timetable.
The A29WP guidance covers three areas: Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authorities.
The full guidance is here:
The headlines are as follows:
Organisations have to decide whether they are required to appoint a DPO. The criteria is whether an organisation’s core activities consist of either processing involving regular and systematic monitoring of individuals on a large scale or processing on a large scale of sensitive data.
The A29WP gives some explanation of what is meant by “core activities”, giving it a wide definition. For example, a health care provider’s core activity is the provision of such care, but the processing of patient records is so inextricably linked to that as to constitute a core activity.
In relation to what is meant by “large-scale”, the A29WP provides some indications by reference to the number of individuals involved, the volume of the data and the time-scale over which it is processed. Specific examples given include processing of customer data by a bank or insurance company.
Regarding the meaning of “regular and systematic monitoring of individuals”, the A29WP say this includes tracking and profiling on the internet as well as through CCTV and connected devices like smart meters.
Unsurprisingly, the A29WP suggest a DPO should be appointed anyway even if this criteria is not met. Broadly, we agree with this. It can be very helpful for an organisation to have access to someone experienced in data protection, particularly in the period up to and immediately after GDPR takes effect. The issue is that there aren’t that many qualified people around. However, if a DPO is appointed on a voluntary basis, then the A29WP says that the GDPR requirements will apply to them. In such a case, organisations might be best advised not to formally appoint a DPO, yet still have someone effectively performing that function.
The A29WP confirm that a DPO does not have to be an employee of the organisation, but any DPO must be readily accessible within that organisation and to third parties. DPOs will not be personally responsible, from a regulatory perspective, for non-compliance with GDPR. Liability will fall on the data controller or data processor organisation.
This is a new right created by GDPR allowing individuals to receive their data back from an organisation and give it to a new provider if they choose to do so. The A29WP explains this involves two rights: for the individual to receive data back and retain it if they so wish; and for it to be transferred to another organisation if required.
The right is limited to data provided by the individual to the organisation, but the A29WP gives this a wide interpretation to include data not only actively provided by the individual, but also data generated by their activities which the organisation has collected. An example of the latter is data collected by smart meters or location data. However, data created by the organisation about an individual (such as a performance record) is not covered. All of this has to be clearly explained to individuals by organisations when setting out data subjects’ rights.
The A29WP emphasises that organisations are likely to need to develop or acquire new technology to comply with individual’s requirements for data portability as a key requirement is to make the transfer as simple as possible, for example, to facilitate switching from one provider to another. Organisations cannot charge individuals for setting up this infrastructure.
Lead Supervisory Authority
The concept of the lead supervisory authority is based on the “one-stop shop” principle – pan-EU organisations should not have to deal with multiple regulators in each country, but with one prime regulator in their “home” country.
The A29WP gives guidance on how to determine who this lead authority should be. This will be important to organisations because, although GDPR seeks to impose consistent regulation across the EU, there is still likely to be divergence in how strict regulators are in each territory and how pragmatically they engage with organisations.
Crucial to this is determining where the organisations “main establishment” is. This will usually be where its main administration is in the EU, say the A29WP, except where decisions about processing data are effectively taken elsewhere. For example, it would be possible for financial decisions to be made in one location, but marketing decisions involving personal data to be taken somewhere else. Or it might be possible for decisions about one type of service (e.g. banking) to be taken in one country, but decisions about another service (e.g. insurance) in a second country.
The A29WP emphasise that “main establishment” is a question of fact and artificial choices by organisations about where the main establishment is, which do not reflect the reality of where decisions are made, will be challenged by regulators. The A29WP suggest that keeping evidence of where decisions are really made is likely to help organisations.
Finally, the A29WP say that if an organisation does not have an establishment in the EU then it cannot have a lead supervisory authority. It will have to deal with regulators in each territory that it targets. This is unwelcome news for those organisations based outside the EU who will now be caught by the extended territorial reach of GDPR and have to deal with multiple national regulators.