The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.
The revised DPO guidance notes that:
- An organisation’s analysis of whether or not a DPO should be appointed is part of the documentation that should be kept to comply with the accountability principle. Such documentation may be requested by the Data Protection Commssioner (DPC), and should be reviewed and updated when controllers/processors undertake new activities, or provide new services.
- ‘Data-driven marketing activities’ are an example of an activity that may constitute ‘regular and systematic monitoring of data subjects’.
- A DPO may have the help and support of a team, if necessary, to effectively communicate with data subjects and cooperate with the relevant DPA.
- A DPO should preferably be located in the EU, whether or not the controller or processor is established in the EU.
- A DPO is bound by secrecy/confidentiality concerning the performance of his/her tasks, as employees may be reluctant to complain to the DPO if the confidentiality of their communications are not guaranteed.
- The obligation of secrecy/confidentiality does not prohibit a DPO from consulting the relevant supervisory authority for advice.
- The name of the DPO must be communicated to the relevant supervisory authority, in order for the DPO to serve as a contact point.
- A DPO’s duty to report to ‘directly the highest level of management’, to ensure the board is aware of the DPO’s advice and recommendations, may be fulfilled by the drafting of an annual report of the DPO’s activities for the Board.
- A conflict of interest may arise if an external DPO, such as a lawyer, provides DPO services, and is asked to represent the controller or processor before the Courts in cases involving data protection issues.
The revised Portability guidance:
- Removes reference to the primary aim of data portability being to facilitate switching of service providers and enhancing competition. Instead it emphasises that the primary aim is to empower data subjects.
- Highlights that whilst it is the controllers’ responsibility to respond to a portability request, the processor is obliged to assist the controller to respond.
- Emphasises that the GDPR does not establish a general right to portability where the processing of personal data is not based on consent or contractual necessity. For example, there is no obligation for financial institutions to answer a portability request concerning data processed as part of their AML legal obligations.
- Notes that the data subject has the right to transmit the data to another controller ‘without hindrance’. Such hindrance “can be characterised as any legal or financial obstacle places by the controller in order to refrain or slow down access, transmission or reuse by the data subject or another controller“. Examples include fees, lack of interoperability, excessive delays or complexity, deliberate obfuscation or undue accreditation demands. The WP29 accept that some legitimate obstacles might arise, such as ones related to the rights of third parties or security.
- Notes that controllers should explore two different and possibly complementary paths for making portable data available to data subjects and other controllers: (i) a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset) and (ii) an automated tool that allows extraction of relevant data.
- Provides that controllers should assess the specific risks linked with data portability and take appropriate risk mitigation measures, such as authentication techniques (e.g. a onetime password) or suspending or freezing a transmission if there is a suspicion that the account has been compromised.
The revised Lead Supervisory Authority Guidance notes that:
- The GDPR does not specifically deal with the issue of designating a lead authority where two or more controllers established in the EU jointly determine the purposes and means of processing (i.e. joint controllers). The WP29 notes that in order to benefit from the one stop shop principle that joint controllers should designate which establishment of the joint controllers will have the power to implement decisions about the processing with respect to all joint controllers. That establishment will then be considered to be the main establishment.
- The lead authority, or concerned authorities, can rebut the controller’s analysis of where its main establishment is, based on an objective examination of the relevant facts, and may request further information where required. Effective records of data processing activity would help both organisations and supervisory authorities to determine the lead authority.
- A processor may provide services to multiple controllers located in different Member States, for example, a large cloud-service provider. In such cases, the lead supervisory authority will be the supervisory authority that is competent to act as lead for the controller. In effect, this means a processor may have to deal with multiple supervisory authorities.