EU’s Article 29 Working Party Issues First Set of Guidance on the GDPR

On December 13, 2016, the Article 29 Working Party issued the first set of official guidance on the EU’s new general data protection regulation (GDPR), set to replace the 1995 EU Data Protection Directive in May of 2018.

The Guidelines on Data Protection Officers (‘DPOs’) emphasizes that in addition to public authorities and bodies, organizations (both controllers and processors) for whom the regular and systematic monitoring of individuals on a large scale is a core activity, will be required to designate a DPO that has expertise in the national and European data protection laws and practices. The Guidelines provide guidance on how to interpret “core activities”, “large scale” and “regular and systematic monitoring”. With respect to the “core activities”, it is noteworthy to mention that according the Article 29 Working Party, an organization’s payroll or IT activities are necessary to support the organization’s business and therefore are rather ancillary activities that would not, on themselves, trigger the obligation to appoint a DPO. The DPO itself would not be personally responsible for the organization’s non-compliance with the GDPR, such responsibility remaining with the organization itself. The Article 29 Working Party encourages the voluntary appointment of DPO’s but underlines the different nature of DPO’s as compared to current functions such as CPO’s.

The Guidelines on the right to data portability further clarifies the right of data subjects to receive from the controller, under certain conditions, their own personal data in a readable format, and permits the direct transmission of personal data from one data controller to another. Notably, the guidance adopts a very broad interpretation of the scope of the data portability right, so that it will not only include personal data provided by the data subject “knowingly and actively” to the controller, but also data generated by the data subject’s activity. Inferred or derived data generated by the controller (such as a profile) would not be included The guidance also states that this right does not impose additional obligations on the data controller to retain personal data for longer than necessary, or commence retention efforts simply to service a data request. However, the guidance does encourage data controllers to begin developing mechanisms to adequately respond to such requests, and cooperate in order to create a common set of interoperable standards.

Finally, the Guidelines for identifying a controller or processor’s lead supervisory authority discusses the so-called “One-Stop-Shop” principle in cases of cross-border processing activities. Noteworthy for U.S. businesses is that non-EU controllers without an establishment in the EU (but who are subject to the GDPR because, for instance, they offer goods and services to data subjects in the EU), cannot benefit from the One-Stop-Shop, but must deal with the local supervisory authority of each Member State where they are active. The Guidelines also make it clear that different supervisory authorities may still be the lead supervisory authority depending on the various types of processing. It underlines that there will be many borderline and complex situations on which, ultimately, the European Data Protection Board will have to decide.

The three separately issued guidance tackles some of the numerous questions raised since the new GDPR was approved in May 2016, and lends some clarity to the obligations of data controllers and processors that will be affected by the new law but leaves open many questions.

The Article 29 Working Party welcomes any comments to these guidelines until the end of January 2017. Additional Guidelines on the Data Protection Impact Assessment and Certification are announced for the course of 2017.