Many EU regulators are relying on the Article 29 Working Party (WP29), at least in the initial stages, to produce guidance on implementing the GDPR. Others are already beginning to produce their own guidance, often heavily based on WP29 guidance. Here is a snapshot of regulator approaches in some key EU jurisdictions. For a full list of EU Member State guidance as at October 2017, see here.
German Data Protection Regulatory Authorities have been issuing statements about the General Data Protection Regulation (GDPR) for a while now. In the past few months, regulators have particularly busy in publishing both shorter papers and detailed guidance on specific aspects of implementation of the GDPR as well as guidance on the new German Federal Data Protection Act (BDSG-new).
The Data Protection Conference (Datenschutzkonferenz,“DSK”`, an independent German advisory body on data protection and privacy) has issued, at the time of writing, a total of eleven working papers. Of the State regulators, the Bavarian one has been busiest, issuing 20 short guidance papers so far. Below, we provide an overview on these working papers.
Among the working papers of the Bavarian regulator are topics such as mutual assistance between the DPAs and and collective measures,special categories of personal data, the right to be forgotten,data processors, security of data handling, data breach notifications, codes of conduct, One-Stop Shop, as well as data protection in employment
The DSK has, among others, issued guidance notes on aspects like the domestic market principle, i.e. the applicability of the local law to non-European companies and a plan of measures, which describes how companies adjust to the different procedures adapting the GDPR.
Guidelines and statements on the necessity of Data Protection Officers (DPOs) and what you have to know about their designation, their position and their tasks in an organisation have been given by, the Bavarian regulator, the North Rhine-Westphalian DPA and the Hessian Commissioner for Data Protection.
The concept of consent is and its requirements is a familiar one. However, there is some uncertainty around the GDPR's enhancements which various German regulators are attempting to address. For example, the Bavarian and the North Rhine-Westphalian regulators as well as the Berliner Commissioner for Data Protection and Freedom of Information have issued relevant guidance. Previously, the Düsseldorfer Kreis, the joint committee of DPAs for the private sector, had issued guidance which declared that the validity of previously obtained consents would continue under the GDPR. It means the validation is supposed to remain insofar as the consents are in line with relevant requirements like being freely given and by someone above the national minimum age.
Information about how to implement the necessary privacy impact assessment, can be found in publications of the DSK, the Bavarian regulator and in the white paper of the regulator of Schleswig-Holstein, the Independent State Centre for Data Protection.
The right of subject access rights are discussed by the DSK , the Bavarian regulator, the North Rhine Westphalian Commissioner for Data Protection , the Hessian Commissioner for Data Protection and the Independent Centre for Data Protection of Schleswig-Holstein.
The possibility of certification for organisations to demonstrate the compliance with the data protection law has been another topic for Bavarian regulator and the North Rhine Westphalian Commissioner for Data Protection and Freedom of Information.
Surveillance and monitoring
Video surveillance as a specific issue in the light of the GDPR are examined by the Bavarian DPA and the Hessian Commissioner for Data Protection. Scoring, i.e. the practice of credit, are discussed by the North Rhine Westphalian Commissioner for Data Protection and Freedom of Information and theIndependent Centre for Data Protection of Schleswig-Holstein.
Technical and organisational measures
Advice on appropriate technical and organisational measures is published both by the Independent Centre for Data Protection of Schleswig-Holstein and by the Berliner Commissioner for Data Protection and Freedom of Information.
Unlike Germany, the Czech Data Protection Office (CDPO) has taken a fairly minimalist approach. The basic approach to the GDPR is that there is nothing dramatically new as most of the obligations have already been implemented in the current national Data Protection Act, While it has published the WP29 guidance in Czech, other publications are limited to:
- A Q&A paper, which is very basic, just highlighting extracts from the text of GDPR; and
- a paper on 10 main misconceptions about GDPR (e.g. DPO will not be obligatory for every business, GDPR is not a revolution in data Protection).
There are, however, two opinions of the CDPO which are worth noting:
- In the CDPO's view, freedom of movement of personal data within EU does not mean any data can be shared within the EU. The CDPO insists on its rigid opinion published on the basis of Czech national data protection law, that it is not legitimate to transfer personal data of Czech employees to centralised HR functions in headquarters outside the Czech Republic, nor to allow HR from headquarters and managers of affiliates/headquarters access to personal data of Czech employees. The reasoning is that the local organisation is an independent one. The pay cheques of Czech employees are paid by local affiliates and, therefore, there is no legitimate reason to share data “within the group”. The CDPO has stated that it will continue to hold this view after the GDPR applies.
- Unofficially, the CDPO claims that in order to be “independent”, a DPO must not be an employee of the data controller or processor. However, this is only an informal opinion of some CDPO employees and there has been no official communication on the issue.
The Polish data protection authority, the Inspector General for Personal Data Protection, to be renamed as the President of the Office for Personal Data Protection (GIODO) once the GDPR comes into effect, has published numerous instructions and guidance regarding the implementation of GDPR, including a series of articles titled “One year to GDPR / Are you prepared for GDPR?” which are to educate the data controllers on their most important obligations.
In its publications, GIODO emphasises the necessity of reviewing all personal data processing operations, individually assessing the risks associated with them. GIODO notes that the data controllers will be more autonomous in terms of deciding on the appropriate level of measures applied to secure data processing. The authority announced that after 25 May 2018, it will publish codes of conduct which will supplement the GDPR by describing best practices with respect to data security which may be used by the data controllers. It also reminds data controllers that they can refer to the already existing ISO standards concerning the management of security measures.
GIODO also educates entrepreneurs on the new rights of data subjects such as the right to request a transfer of personal data to another data controller, and stresses that they will need to adjust internal procedures to facilitate such actions in a timely manner. The authority also elaborates on concerns such as whether consent to process personal data granted under the previous regulation will remain valid under the GDPR's enhanced requirements. GIODO has clarified that consent will remain valid provided that the data subject is given the opportunity to withdraw it.
GIODO further reminds the data controllers as to the need to review data processing agreements, which are more specifically regulated in the GDPR.
The Slovakian Data Protection Office has issued several brief opinions (e.g. the comparison of the main changes in data protection legislature, the FAQs on GDPR, and opinions on DPOs and the one-stop-shop principle) and its employees occasionally give lectures at various local conferences and workshops.
The Netherlands has so far taken a fairly 'hands off' approach to guidance, mainly replicating guidance from the WP29.