A new era in data protection law began in May 2016 when the EU General Data Protection Regulation (GDPR) entered into force. The private and public sector, as well as all industries in Germany and the EU are affected. From May 25, 2018 on, companies must adhere to the provisions of the GDPR. Otherwise, they may incur high fines and other sanctions.
Due to the attempt to reach a political compromise, the GDPR has remained very vague, with general clauses and uncertain legal concepts. For this reason, the supervisory authorities consider it their responsibility to draft interpretation and orientation guides.
In December 2016, the Article 29 Working Party published three guidelines and FAQs on the application of the new regulation. The guidelines are intended to shed more light into the dark areas of the general clauses and the uncertain legal concepts.
In its guidelines, the Article 29 Working Party covered three topics in detail, data portability in accordance with Art. 20 GDPR, the data protection officer in accordance with Art. 37 GDPR, and lead supervisory authorities in accordance with Art. 56 GDPR.
1. Right to data portability under the control of the data subjects
Art. 20 GDPR grants the data subject the right to receive the personal data concerning him or her, which he or she has provided to a controller in a structured, commonly used and machine-readable format and to have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided where:
- the processing is based on consent or on a contract,
- the processing is carried out by automated means.
In practice, this means the following: companies do not have to guarantee the portability of such data, which, for example, were processed based on the balancing of interests. Therefore, companies should ensure that they determine the legal basis for the individual processing procedures and document them to observe data compliance. This also allows companies to comply with their duty to provide information in accordance with Art. 13(1)(c) GDPR.
With the right to data portability, European legislators therefore created a new right. There are no pertinent decisions yet from case law and administrative practice.
Regarding the new right to data portability, the Article 29 Working Party states among others that it strengthens the data subjects’ right to access their own personal data. The data subject should be able to transfer personal data from one IT environment to another, to copy it, or to transmit it to another service provider without any hindrance by a service provider.
The right to data portability is limited with regard to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition, the rights and freedoms of others may not be impaired by the exercising of the right to data portability. It is encouraging that the Article 29 Working Party therefore recognizes that when the data subject handles portable data, there is no responsibility under data protection law by the company providing the data. There is also no obligation to store the data beyond the criteria for the necessary time or other storage periods stipulated by law.
In addition, the right to data portability is not applicable where personal data are no longer generated by the data subject but by a third party. Consequently, data portability only must be guaranteed for data provided by the data subject. In the opinion of the Article 29 Working Party, observation data resulting by virtue of the use of the service or the device are also subject to the right to data portability. They may for example include a person’s search history, traffic data, and location data or measurement values. In practice, this results in a broad interpretation of the claim to data portability.
The Article 29 Working Party suggests to controllers that in practice, various technical options should be offered for data portability requests, for example, the provision of a technical interface. For this purpose, the Article 29 Working Party calls for interoperable formats to be developed, which make data portability possible. In the view of the Article 29 Working Party, the right to data portability is also an important tool that will not only support the free flow of personal data within the EU, but also foster competition between controllers.
In its guidelines, the Article 29 Working Party refers to multiple technical options that companies should provide to guarantee the right to data portability. The list includes, for example, a direct download option for the data subjects or data transfer by a programming interface, for example an API.
2. Data Protection Officer
In WP243, the Article 29 Working Party addresses primarily four topics regarding the Data Protection Officer ("DPO") in accordance with Art. 37 GDPR: initially it states the requirements of the designation obligation, then covers the requirements of independence and for the qualification of the DPO and finally the duties of the DPO.
The statements made by the Article 29 Working Party about when a company is obligated to designate a DPO are most likely insignificant for German companies. All drafts of the successor act to the Federal Data Protection Act that have been disclosed to date, maintain the core of the current German regulation. Accordingly, there has always been an obligation to appoint a data protection officer if ten or more people are involved in the processing of personal data or if the activities of the company involve particular risks for the data subjects. In the last known draft (Data Protection Adjustment and Transposition Act-EU of November 23, 2016), this is governed by Section 36 Federal Data Protection Act new version. The obligation to designate a data protection officer therefore applies significantly earlier than under the GDPR.
If companies believe they are not obligated to designate a DPO, the Article 29 Working Party recommends that the check performed prior to this decision should be documented. Considering the obligation to provide evidence of compliance with the provisions of the GDPR (Art. 24(1) for controllers and Art. 28(1) for processors), companies should definitely consider this recommendation.
The Article 29 Working Party first underlines the fact that the data protection officer may not be restricted in the exercise of his or her tasks by employment law. The current draft of the new Federal Data Protection Act accordingly also continues to provide for protection against termination of the DPO.
The DPO must be provided with sufficient resources to carry out his or her duties. Where the DPO also performs other duties in the company, these may not result in a conflict of interests. A conflict of interests will always exist where the DPO holds a position within the organization that leads him or her to determine the purposes and the means of processing of personal data. The Article 29 Working Party therefore generally considers that it is unsuitable for any company executives to act as DPO, however, it leaves this to be checked on an individual basis.
With regard to professional qualities, the Article 29 Working Party primarily requires proven expertise in national and European data protection laws, as well as in particular of the General Data Protection Regulation. Regarding technical understanding, the Article 29 Working Party also requires sufficient understanding of the processing operations carried out. Overall, however, it states that the requirements for data protection officers may differ depending on the company and industry involved.
The Article 29 Working Party states that the DPO has a consulting and inspection function, but that the data protection officer is not personally responsible for compliance with the requirements of the GDPR. The responsibility rests solely with the controller and/or the processor. The Article 29 Working Party attaches great importance to the DPO as part of the data protection impact assessment. The DPO should provide comprehensive advice and be involved from an early stage. With a view to data protection documentation, the Article 29 Working Party states that the controller and the processor originally had that obligation, but that it is permissible to assign management of the documentation to the DPO.
3. Responsibility of the supervisory authorities in case of cross-border processing of personal data
In WP244, the Article 29 Working Party for the first time provides guidelines on identifying the lead supervisory authority with regard to cross-border processing of personal data and thereby assists in clarifying the concept of a one-stop shop (OSS).
According to the GDPR concept of the OSS, in the future, in case of cross border data processing, a single supervisory authority, the lead supervisory authority, will be the sole interlocutor of the controller or processor (Art. 56(6) GDPR). It should be noted that although this means that the main responsibility is transferred,thisdoes not mean that sole decision-making powers are transferred to the lead supervisory authority. This authority must reach an agreement with the "supervisory authorities concerned" defined in Art. 4(22) GDPR.
On the one hand, in practice it will be relatively easy to determine whether cross-border processing relevant for the OSS concept is given in accordance with the definition in Art. 4(23) GDPR. This is already considered to be the case if processing de facto takes place in more than one Member State. WP244 provides orientation for the more complex second situation within the definition, according to which processing should also be assessed as cross-border if processing of personal data substantially affects or is likely to substantially affect data subjects in more than one Member State.
On the one hand, the Article 29 Working Party refers to "case-by-case" interpretation by the supervisory authorities regarding the interpretation of the term "substantially affects." On the other hand, in addition to the context of the processing, the type of data, and the purpose of the processing, it should be taken into account among other things whether the processing:
- causes, or is likely to cause, damage, loss, or distress to individuals;
- affects, or is likely to affect individuals’ health, well-being or peace of mind;
- affects, or is likely to affect individuals’ financial or economic status or circumstances;
- leaves individuals open to discrimination or unfair treatment;
- involves the analysis of the special categories of personal or other intrusive data, particularly the personal data of children.
The interpretation guidelines of the Article 29 Working Party then discuss the concrete identification of the "lead supervisory authority." In accordance with Art. 56(1) GDPR, the supervisory authority of the "main establishment" of the controller or processor is to be the lead authority.
The location of the organization where decisions about the purposes and means of the processing are made ("decision-making powers") is considered a significant factor. This may be the group headquarters. Features such as the actual location of the operative decision-making processes, the headquarters of the managing director, or the place of registration of the companies may be additional criteria, however.
4. Recommendations for action in practice
The guidelines and FAQs of the Article 29 Working Party are nonbinding, but are to be considered as valuable interpretation and orientation aids for supervisory authorities and companies. The guidelines and FAQs will therefore also be taken into account by the German and European data protection supervisory authorities. They provide potential insight into the future interpretation of the provisions of the GDPR by the German and European data protection authorities.
The new guidelines of the Article 29 Working Party and the FAQs can be downloaded from the following sites: