The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right
The Article 29 Data Protection Working Party (WP29) recently held its December plenary meeting to discuss certain issues related to the implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018, and of the Privacy Shield, which was opened for self-certification by companies in August.
During its December plenary meeting, WP 29 adopted three sets of guidelines and FAQs for controllers and processors of personal data (available for download on WP29’s website):
- Guidelines and FAQs on the Right to Data Portability;
- Guidelines and FAQs on Data Protection Officers (DPOs); and
- Guidelines and FAQs on the Lead Supervisory Authority.
Below are the key takeaways from the three guidelines.
The Right to Data Portability
- Data portability is a data subject’s right to receive personal data processed by a data controller and to store it for further personal use on a private device, without transmitting it to another data controller. However, data subjects also have the right to transmit data from one controller to another controller “without hindrance.” As such, this right facilitates data subjects’ ability to move, copy or transmit personal data easily from one IT environment to another, thereby facilitating switching from one service provider to another and enhancing competition between services.
- To fall within the scope of data portability, processing operations must be based (1) either on the data subject’s consent or (2) on a contract to which the data subject is a party (e.g., the titles of books purchased by an individual from an online bookstore).
- Data portability applies only to data processing that is “carried out by automated means.” It does not apply to paper files.
- Data portability covers the subject’s personal data that he or she provided to a data controller. This includes data actively and knowingly provided by the data subject (e.g., mailing address, user name, age) and observed data that is “provided” by the data subject by virtue of the use of the service or the device (e.g., search history, location data). This, however, does not include “inferred” data, i.e., data generated by the subsequent analysis of the data subject’s behavior.
- Format. The data should be provided “in a structured, commonly used and machine-readable format” that supports re-use. Data controllers are expected to offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Furthermore, data controllers are expected to provide as many metadata with the data as possible to preserve the precise meaning of exchanged information.
- Retention. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. (In fact, this right should encourage organizations to follow their records disposition policies to ensure that no data is kept once it outlives its usefulness or fulfills its preservation obligation.)
- Notice. Data controllers are required to inform the data subjects regarding the availability of the new right to portability.
- Timing. Data controllers must answer a portability request “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
- Fees. Data controllers are prohibited from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character.”
- Security. When transferring data, the data controller is responsible for taking “all the security measures” needed to ensure that personal data is securely transmitted (e.g., by use of encryption) to the right destination (e.g., by use of additional authentication information). When allowing data subjects to retrieve their personal data from an online service, the data controller, as a best practice, could recommend appropriate formats and encryption measures to help the data subject securely retrieve his data.