GDPR Working Party issues guidance
The collective representatives of the EU national data protection authorities (the “Working Party”) have issued their first guidance on certain aspects of the GDPR, focusing on three main areas:
(1) The right to data portability
(2) Data protection officers (“DPOs”)
(3) Identification of the lead supervisory authority.
This is interim guidance only. Comments to the Working Party must be submitted by the end of January 2017.
Article 20 of the GDPR introduces the right to data portability which gives data subjects the right to obtain and transfer their personal data from one data controller to another. The type of personal data which may be transferred includes not only data provided by the data subject to the controller but also data generated by the subject in the course of interactions with the controller. Data generated by the controller falls outside the scope of the portability regime.
The data must be provided “in a structured, commonly used and machine-readable format”.
The Working Party comments on the technical aspect of portability, noting that:
“...data controllers should offer different implementations of the right to data portability…they should offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller”.
Essentially, the data should be provided to the subject in a format which supports re-use. The Working Party encourages cooperation:
"...[between] industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability”.
As with other aspects of the GDPR, the data portability requirement does invite the development of new technology, to enable data subjects to exercise their rights.
Data protection officers
Under the GDPR it is mandatory for certain processors and controllers to designate a DPO. All public authorities and bodies will require an appropriately qualified DPO as will organisations which monitor individuals systematically and on a large scale as a core activity.
The meaning in this context of “core activity” is not defined in the GDPR. It has been broadly interpreted by the Working Party to mean those activities which constitute “key operations necessary to achieve the controller’s or processor’s goals”.
The Working Party similarly gives a broad interpretation to “large scale” recommending that a number of factors are considered when determining whether the processing falls within this definition namely: 1) the number of data subjects; 2) the volume of data and/or the range of different data items being processed; 3) the duration, or permanence of the data processing activity; and 4) the geographical extent of the processing activity.
The Working Party also encourages other organisations to consider designating a DPO on a voluntary basis and reiterates that:
"...[the role of DPO] shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices…”
Identification of lead supervisory authority
At present, each EU member state has its own local supervisory authority tasked with ensuring compliance with local data protection laws. The GDPR, however, aims to provide a “one-stop shop” for cross-jurisdictional organisations. This means a business only having to deal with the regulator in the jurisdiction in which the organisation’s main establishment is situated, rather than having to deal with different regulators in separate jurisdictions.
These provisions will capture not only those organisations with physical bases in multiple jurisdictions but also those organisations undertaking business activity which “substantially affects” (or is likely to “substantially affect”) data subjects in other jurisdictions.
Importantly, the Working Party appears keen to emphasise that an organisation’s main base will be determined by reference to “precisely where the decisions on purpose and means of processing are taken”.
Under the GDPR “forum shopping” will not be permitted.
If there is any ambiguity as to the identity of the lead supervisory authority, organisations’ activities will be closely scrutinised:
“...using objective criteria and looking at the evidence…Conclusions cannot be based solely on statements by the organisation under review”.
For further information and the original Working Party press release, guidance notes and FAQs, please see: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083