The Article 29 Data Protection Working Party (WP29) recently held its December plenary meeting to discuss certain issues related to the implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018, and of the Privacy Shield, which was opened for self-certification by companies in August.

During its December plenary meeting, WP 29 adopted three sets of guidelines and FAQs for controllers and processors of personal data (available for download on WP29’s website):

  • Guidelines and FAQs on the Right to Data Portability;
  • Guidelines and FAQs on Data Protection Officers (DPOs); and
  • Guidelines and FAQs on the Lead Supervisory Authority.

Below are the key takeaways from the three guidelines.

The Right to Data Portability

  • Scope.
    • Data portability is a data subject’s right to receive personal data processed by a data controller and to store it for further personal use on a private device, without transmitting it to another data controller. However, data subjects also have the right to transmit data from one controller to another controller “without hindrance.” As such, this right facilitates data subjects’ ability to move, copy or transmit personal data easily from one IT environment to another, thereby facilitating switching from one service provider to another and enhancing competition between services.
    • To fall within the scope of data portability, processing operations must be based (1) either on the data subject’s consent or (2) on a contract to which the data subject is a party (e.g., the titles of books purchased by an individual from an online bookstore).
    • Data portability applies only to data processing that is “carried out by automated means.” It does not apply to paper files.
    • Data portability covers the subject’s personal data that he or she provided to a data controller. This includes data actively and knowingly provided by the data subject (e.g., mailing address, user name, age) and observed data that is “provided” by the data subject by virtue of the use of the service or the device (e.g., search history, location data). This, however, does not include “inferred” data, i.e., data generated by the subsequent analysis of the data subject’s behavior.
  • Format. The data should be provided “in a structured, commonly used and machine-readable format” that supports re-use. Data controllers are expected to offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Furthermore, data controllers are expected to provide as many metadata with the data as possible to preserve the precise meaning of exchanged information.
  • Retention. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. (In fact, this right should encourage organizations to follow their records disposition policies to ensure that no data is kept once it outlives its usefulness or fulfills its preservation obligation.)
  • Notice.   Data controllers are required to inform the data subjects regarding the availability of the new right to portability.
  • Timing.  Data controllers must answer a portability request “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
  • Fees.  Data controllers are prohibited from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character.”
  • Security. When transferring data, the data controller is responsible for taking “all the security measures” needed to ensure that personal data is securely transmitted (e.g., by use of encryption) to the right destination (e.g., by use of additional authentication information). When allowing data subjects to retrieve their personal data from an online service, the data controller, as a best practice, could recommend appropriate formats and encryption measures to help the data subject securely retrieve his data.

Data Protection Officers (DPOs)

  • DPO tasks. The DPO is charged with the following tasks: (1) monitoring internal compliance with the GDPR, prioritizing higher-risk areas based on the nature, scope, context, and purposes of processing; (2) providing advice regarding the carrying out of a data protection impact assessment (DPIA) and monitor its performance; and (3) helping the controller or the processor fulfill its obligation to maintain a record of its processing operations.
  • When required. A DPO is required for the private sector in two specific cases:
    • Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; and
    • Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
  • Core activities. Recital 97 of the GDPR specifies that core activities of a controller relate to “primary activities and do not relate to the processing of personal data as ancillary activities.” Core activities are the key operations necessary to achieve the controller’s or processor’s goals (e.g., processing patients’ health records by a hospital; processing of surveillance information from private shopping centers and public spaces by a private security company).
  • Large scale. Recital 91 explains that “large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk” would be included. WP29 recommends the following factors for consideration: (1) the number of data subjects concerned; (2) the volume of data and/or the range of different data items being processed; (3) the duration, or permanence, of the data processing activity; and (4) the geographical extent of the processing activity. For instance, large-scale processing includes processing of patient data by a hospital, but not by an individual physician.
  • Regular and systematic monitoring. WP29 interprets “regular” to mean ongoing, recurring, or repeated at fixed times, and “systematic” as occurring according to a system, pre-arranged, organized, or carried out as part of a strategy. Examples include operating a telecommunications network, profiling and scoring for purposes of risk assessment (e.g., credit scoring, fraud prevention), location tracking (e.g., by mobile apps), monitoring of wellness, fitness and health data via wearable devices, CCTV, connected devices.
  • DPO qualifications. Article 37(5) provides that the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” The DPO must have a level of expertise that is commensurate with the sensitivity, complexity and amount of data an organization processes. The DPO should have expertise in national and European data protection laws and practices and in-depth understanding of the GDPR. Finally, the DPO’s position within the organization should enable him or her to have the necessary resources and sufficient autonomy and influence in order to play a key role in fostering a data protection culture within the organization and help implement essential elements of the GDPR. The DPO may have other functions within the organization, as long as they do not result in a conflict of interest.

Identifying Lead Supervisory Authority

  • Function.  A lead supervisory authority is the authority with the primary responsibility for dealing with a cross-border data processing activity. For instance, when a data subject makes a complaint about the processing of his or her personal data, the lead supervisory authority will coordinate any investigation and will involve other “concerned” supervisory authorities, as necessary.
  • Scope.  Only controllers or processors who carry out the cross-border processing of personal data need to identify a lead supervisory authority. Cross-border processing includes processing that takes place in the context of the activities of establishments in more than one EU Member State or in the context of the activities of a single establishment but which substantially affects data subjects in more than one Member State.
    • For instance, (1) an organization that has establishments in France and Romania and that processes personal data in the context of the activities of these establishments and (2) an organization that carries out processing activity in the context of its establishment in France, but in a way that may affect data subjects in France and Romania – are both engaged in cross-border processing and would need to identify their lead supervisory authority.
  • Substantially affects. The GDPR does not define this term and WP29 and the DPAs will interpret it on a case-by-case basis, taking into account the context of the processing, the type of data, the purpose of the processing and factors such as whether the processing does, or is likely to do, the following:
    • Causes damage (including reputational damage), loss, distress, or embarrassment to individuals;
    • Has an actual effect in terms of limiting rights or denying an opportunity, or leaves individuals open to discrimination or unfair treatment;
    • Affects individuals’ health, well-being or peace of mind, or financial or economic status or circumstances;
    • Involves the analysis of the special categories of personal or other intrusive data, particularly the personal data of children;
    • Causes individuals to change their behavior in a significant way;
    • Has unlikely, unanticipated or unwanted consequences for individuals; or
    • Involves the processing of a wide range of personal data.
  • How to identify. Identifying the lead supervisory authority depends on determining the location of the controller’s “main establishment” or “single establishment” in the EU. Article 4(16) of the GDPR provides detailed definitions of what constitutes “main establishment” with regard to a controller and with regard to a processor. It is possible for an organization to have multiple lead supervisory authorities, depending on the nature and location of its decision-making with respect to a particular data-processing activity.
    • For instance, the German authorities would take the lead in supervising banking activities of a bank with corporate headquarters in Frankfurt that organizes all of its banking data-processing activities from Frankfurt, but the Austrian supervisory authority would be the lead authority with respect to the same bank’s insurance data-processing activity where that activity is decided and carried out by the bank’s establishment in Vienna.

In cases involving both controller and processor, the competent lead supervisory authority will be the lead supervisory authority for the controller. In this situation, the supervisory authority of the processor will be a “supervisory authority concerned” and should cooperate with the lead in handling the issue.

For companies that do not have an “establishment” in the EU, the mere presence of a representative in a Member State does not trigger the “one stop shop” system. As such, controllers without any establishment in the EU will need to deal with local supervisory authorities in every Member State they are active in, through their local representative.

  • Supervisory authority concerned. The lead supervisory authority would need to consult with “supervisory authority concerned” to ensure that the “lead authority” model does not prevent other supervisory authorities having a say in matters that affect them. Under certain circumstances, the lead supervisory authority may choose to step aside and let the concerned supervisory authority handle the complaint.

The detailed guidance provided by the WP29 on the right to data portability, the function of the DPOs, and the identification and function of the lead supervisory authorities is extremely valuable for multinational companies getting ready for GDPR compliance. The GDPR will bring about substantial changes to the way organizations collect, process, and transfer personal data, and companies should begin working toward achieving that compliance in the next year. Failure to make organizational data-processing activities GDPR-compliant may result in devastating penalties. Depending on the type of infringement, GDRP violators can be fined up to €10 – €20 million, or up to 2% – 4% of total worldwide annual turnover, whichever is higher.