Following draft guidance published late last year, the Article 29 Working Party (WP29) has approved final versions of its guidance on data protection officers (DPOs), data portability, and the identification of a lead supervisory authority under the General Data Protection Regulation (GDPR).
Data Protection Officers
The guidance on DPOs summarises the key requirements under the GDPR. Public authorities and any organisation whose core activities consist of processing special category (sensitive) personal data or that regularly and systematically monitors data subjects on a large scale will need to appoint a DPO. The requirement to appoint a DPO applies to both controllers and processors.
The WP29 provides some guidance on how this should be interpreted. Whilst simply holding special category personal data on employees will not constitute a core function, using that data to provide healthcare services would. For example, that is likely to mean that a number of charities and outreach functions in health and social care will be required to appoint a DPO.
The WP29 goes on to say that “systematic monitoring” is not just limited to online tracking. It would include data-driven marketing, credit scoring, location tracking, CCTV, and using data from connected devices such as wearables, smart meters and home automation.
When considering whether processing is large-scale, relevant factors will include the number of data subjects, the volume of data and the duration of the processing.
Whilst the GDPR states that a DPO can be shared with another organisation (for example within a corporate group) or outsourced to a service provider, the WP29 emphasises that this can only happen where it is done in a way that does not impact upon the duties of the DPO. In particular, the DPO will need to have sufficient knowledge of the organisation, resources and involvement in discussions and decisions relating to the organisation’s handling of personal data.
Finally, the DPO provides some guidance on the requirement that DPOs should not be subject to any conflicts of interest. In particular, the WP29 notes that:
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive., chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments), but may also [sic] other roles lower down in the organisational structure.
Data portability is a new right under the GDPR. It applies to personal data processed using automated means (so not paper records), where processing is carried out either on the basis of consent or that it is necessary for the performance of a contract to which the data subject is a party. In short, it is intended to enable a data subject to export their data or easily move it to a third party provider.
The WP29 emphasises that the right of data portability is distinct from the right to make a subject access request. Those rights are different things and can be exercised independently.
Whilst GDPR states that the right of data portability applies to personal data “provided to a controller”, the WP29 interprets this broadly. In particular, the WP29 states that this includes “observed” data – for example, raw data processed by a smart meter, activity logs, history of website usage or search activities. Whilst user profiles created from such data are expressly excluded by the WP29, this interpretation substantially broadens the scope of data that an organisation might have to make available.
The WP29 also gives some guidance on third party personal data, noting that in some circumstances the data to be provided will necessarily include personal data relating to third parties – for example details of bank transfers in relation to bank account transaction histories and details of recipients of emails in relation to a webmail service. However, providing that information to a new data controller does not permit that new data controller to use the third party data for other purposes – for example, for marketing purposes.
In order for organisations to prepare for data portability, there are a number of issues to consider:
- Can a system be implemented to simplify or automate data portability requests?
- How will responsibilities be allocated between joint data controllers?
- Do you need assistance from a data processor to comply with a data portability request? If so, what assistance do you need? Does your contract deal with that?
- What format will data be provided in and what means of transfer will be used (noting the requirement to ensure that any data transfer is secure)?
Lead Supervisory Authority
The final guidance note relates to identifying a controller or processor’s leady supervisory authority. This is relevant not just to multinational organisations, but also to data processors processing personal data on behalf of data controllers that are located in another EU member state.
The GDPR enables organisations to identify a lead supervisory authority when operating in multiple member states. The intention is to simplify an organisation’s dealings with regulators, by appointing one lead regulator that will then liaise as required with regulators in other countries.
The test for identifying the lead supervisory authority is based on the main establishment of the data controller. This is likely to be the place of central administration with authority to implement decisions in relation to data processing activities, or where the main processing takes place. However, the WP29 notes that an organisation/group of companies may have different locations for different data processing activities. It gives the example of a German bank, which has an insurance subsidiary that is headquartered in Austria. In that case, Austria would be the main establishment for processing in relation to insurance services.
The guidance also notes that when dealing with a group of undertakings, there may not be a central place of administration where decision making is delegated to national subsidiaries/branches. In that case, it may not be possible for the group to appoint a lead supervisory authority.
Finally, the guidance emphasises that data processors may need to liaise with multiple supervisory authorities – not just the supervisory authority for the country or region in which they are located, but also the relevant lead supervisory authority for each data controller on behalf of whom they process personal data. For those data processors that operate internationally, that means that they will need to deal with multiple supervisory authorities, which may create an administrative burden when dealing with, say, a data breach incident.
Where can I download the Article 29 Working Party guidance?
You can download the WP29 guidance on the WP29 website.