1. Data portability
The new right to data portability contained in the GDPR is a right of data subjects to receive the personal data that they have provided to a data controller in a structured, commonly used and machine-readable format, and to transmit that data to another data controller. This right creates an avenue for data subjects to request their personal data in addition to doing so under a subject access request.
Data controllers are not permitted to charge for providing this service and must transmit a data subject’s personal data to that data subject without undue delay and, in any event, within one month of receipt of the request. The WP29 does not foresee compliance with these timescales being an issue for data controllers operating information society services but recommends that data controllers should develop tools to facilitate data portability.
The guidance suggests that data subjects should be given the opportunity to directly download the data or transmit the data directly to another data controller; the provision of an application programming interface is suggested as a method of achieving this.
The WP29 explains that there are a number of cumulative conditions that must be satisfied in order for the data to fall within this right and not all forms of data fall within its scope. In order to fall under the scope of data portability, processing operations must be based either on the data subject's consent or on a contract to which the data subject is a party. In addition, to be within the scope of the right to data portability, data must be personal data concerning the data subject and which the data subject provided to the data controller (i.e. not including ‘inferred’ or ‘derived' data). Finally, in order for the right to data portability to apply, its exercise must not adversely affect the rights and freedoms of others.
The GDPR also places a data controller under an obligation to inform data subjects of this new right. In practice, it is likely that this information will usually be provided via privacy notices and policies. The WP29 suggests that data controllers should provide data subjects with an explanation of the different types of data that can be provided.
2. Data protection officers
The appointment of a Data Protection Officer (DPO) is not mandatory under the pre-GDPR regime but WP29 states that it has in practice developed voluntarily and the WP29 have drawn upon this voluntary practice as part of its guidance.
The guidance makes clear at the outset that despite the appointment of a DPO, responsibility for compliance with the GDPR rests with the relevant data controllers and data processors (not the DPO themselves). The guidance suggests that where it is not obvious whether a DPO should be appointed then it would be advisable on the part of the data controller and data processor to record the internal analysis behind a decision not to appoint a DPO. The WP29 suggests that even where it might not be required, the appointment of a DPO or a consultant might be useful.
The GDPR sets out three specific cases where a DPO is required to be appointed. These are set out in our DPO briefing. The guidance provides helpful examples in clarifying terms in the GDPR that are not defined such as ”regular and systematic monitoring”, which WP29 confirms includes regular and systematic location tracking, behavioural advertising and monitoring of wellness, fitness and health data via wearable devices.
3. Supervisory authority
In order to establish a more coherent and organised method of supervising cross-border processing activity that takes place in more than one Member State or processing that involves citizens of more than one EU country, under the GDPR one supervising authority can be designated as the ‘lead supervisory authority, the authority with primary responsibility for dealing with investigating processing activity’.
Identification of the lead supervisory authority will depend on the location of the controller or processor’s 'main establishment’ or ‘single establishment’ in the EU. This identification of an organisation’s main establishment involves consideration of a number of factors such as where the decisions for processing are taken.
The new guidance contains a series of questions that are designed to assist in identifying the lead supervisory authority and whether the controller or processor is carrying out cross-border data processing.
4. Further guidance
The guidance offers some clarity on previously undefined terms that were contained in the GDPR and provides some practical examples to assist organisations in seeking to comply with the GDPR. The ICO has contributed to the development of the WP29 guidance, however, the ICO’s own guidance and further WP29 guidance covering these and other issues over the coming months is expected over the coming months.