In preparation for the General Data Protection Regulation (GDPR) coming into force in May 2018, the Article 29 Working Party (WP29) has adopted final guidelines on the right to data portability, data protection officers (DPOs) and lead supervisory authorities (LSAs). The guidelines have been amended following comments received from stakeholders on the initial drafts during the consultation process.
The WP29's revised data portability guidance clarifies that, when answering data portability requests, data controllers are not responsible for the processing handled by the data subject or by another company receiving personal data. The WP29 has also made it clear that data processors that process data that is subject to a data portability request are obliged to cooperate with data controllers in order to comply with the request.
The DPO guidelines have been amended to extend responsibility for all data processing activities to DPOs appointed by organisations on a voluntary basis. The WP29 has also recommended that DPOs be located within the EU to ensure that they are accessible.
The revised guidance on LSAs states that in situations where a data controller chooses an LSA under the one-stop shop principle, the LSA in question may choose to "rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required". The WP29 has also indicated that that the "one-stop shop" system will be available to data processors where they have an establishment in multiple EU member states.