The General Data Protection Regulation (‘GDPR’) will radically change the European data protection legislation. Even if the Regulation will come into effect on 25 May 2018, its provisions set forth certain onerous obligations, the implementation of which requires the due time and organization. To facilitate compliance with the provisions of the GDPR, the Article 29 Working Party (WP29) has focused on the main key legal changes to provide recommendations in order to ensure the correct compliance. The Italian Guarantor has taken an active part in the drafting of the guidelines.
These guidelines concern the “Data Protection Officers” (DPO), the “right to data portability” and the “identification of a controller or processor’s lead supervisory authority”.
- “Data Protection Officers” (DPOs)
DPOs will be at the heart of the new legal framework for many organizations.
The guide (click here to download) lists the subjective and objective requirements for the designation of a DPO. According to Art. 37(1) of the GDPR, the designation of a DPO is mandatory where: (a) the processing is carried out by a public authority or body; (b) the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The WP29 has clarified some notions, which the GDPR do not define. For example, the guidelines specify that the notion of a “public authority or body” has to be determined on the basis of national law. Therefore, the designation of a DPO is mandatory both in cases of national, regional and local authorities and of bodies governed by public law. This designation is in any event mandatory also in the event of natural or legal persons that, even if they do not fall in the “public authority” definition, they carry out public tasks in sectors such as energy supply, road infrastructure and public service broadcasting, etc.
“Core activities” are identified in the key operations necessary to achieve the controller’s or processor’s goals. The guidelines explain that the processing of data which forms an inextricable part of the controller’s or processor’s activity is also considered as “core activities”. The notion of “regular and systematic monitoring” applies to all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising, but is not limited to online activities only.
As to the concept of “large scale”, the following factors should be considered: (i) the number of data subjects concerned (also as a proportion of the relevant population); (ii) the volume of data and/or the range of different data items being processed; (iii) the duration or permanence of the data processing activity; and (iv) the geographical extent of the processing activity.
The document explains (through concrete examples) which are the requested levels of expertise, the personal and professional qualities and the knowledge that the DPO should have (expertise in national and European data protection laws and practices; integrity and high professional ethic, etc.). The guidance also clarifies and defines the tasks of the DPOs and also that they are not personally responsible in case of non-compliance with the GDPR. Indeed, the controller or the processor is required to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR provisions.
- The “right to data portability”
The guidelines (click here to download) underline that the purpose of this new right (set forth by Art. 20 GDPR) is to empower the data subject to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to give him/her more control over the personal data concerning him or her. According to the guidelines, the data controllers must inform the individuals regarding the availability of this new right to portability. Should the data controller receive a request by the data subject, the data controller will have a period of a maximum of three months to comply with the request. The WP29 has specified that the most appropriate format to provide the personal data requested will differ across sectors and adequate formats may already exist, but should always be chosen to achieve the purpose of being interpretable.
The right to data portability only applies: (i) to personal data an individual has provided to a controller; (ii) where the processing is based on the individual’s consent or for the performance of a contract; and (iii) when processing is carried out by automated means (and therefore it does not cover paper files).
The guidelines also face some technical issues as to the requirements that should facilitate the interoperability of the data format provided by the data controller and the need to develop applications that facilitate the exercise of the right.
- The criteria for “identifying a controller or processor’s lead supervisory authority”
The EU Guarantors have also clarified the criteria for the identification of the "lead supervisory authority" (click here to download the guidelines). The identification of a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data.
Particularly, this processing of personal data is of relevance when it "takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State" (Art. 4(23) GDPR). The WP29 has specified that the used wording is aimed at ensuring that not all processing activity, with any effect and that takes place within the context of a single establishment, falls within the definition of “cross-border processing”. Therefore, the guidance provides useful examples to understand the correct meaning of this provision.
As specified by the WP29, a “lead supervisory authority” is the primary authority responsible for dealing with a cross-border data processing activity, therefore this authority will deal with, for example, complaints filed by data subjects about the processing of his or her personal data.
Since the identification of the lead supervisory authority depends on determining the location of the controller’s “main establishment” or “single establishment”, the WP29 has provided guidelines for identifying this location. The guidelines underline that it is firstly necessary to identify the central administration of the data controller in the EU, if any. However, the WP29 has clarified that there can be situations where more than one lead authority can be identified. This could be the case of an establishment, other than the place of central administration that makes autonomous decisions concerning the purposes and means of a specific processing activity. Given this circumstance, the WP29 has highlighted that it will be essential for companies to identify precisely where the decisions on purpose and means of processing are taken. To this end, the guidelines provide useful concrete examples. In some complex cases (“Borderline cases”), the identification of the main establishment or the determination of the place where decisions about data processing are taken could be very difficult. In these cases, the GDPR does not provide any solution. The guidelines, therefore, suggest that the most pragmatic way to deal with this would be for the company to designate the establishment that will act as its main establishment. However, “forum shopping” is not allowed by the GDPR.
The above is a brief summary of the main aspects that the WP29 has addressed in order to facilitate companies in the compliance with the GDPR’ provisions. The activities are clearly many. Therefore, it is essential to strive as soon as possible to correctly implement the new legal framework.
The Italian Guarantor announced that it will provide detailed charts to explain in depth how to use these new legal means that the GDPR has introduced.