The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).
DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR.
The GDPR introduces the new right of data portability, allowing data subjects to move their personal data seamlessly between organisations. The WP29 guidance clarifies the scope of the right, and sets out ways to facilitate it. In particular, there is a clear emphasis on the interoperability of the data format as well as clarity that the right applies to personal data – including pseudonymised data that can be clearly linked to a data subject and user-generated personal data (such as search history) – as well as metadata.
To encourage a harmonised approach to enforcement and to avoid the risks of forum shopping, the WP29 guidance clarifies how organisations can identify the lead supervisory authority when there is cross-border processing of personal data. Organisations subject to the GDPR without any establishment in the EU must appoint a representative to liaise with the local supervisory authority.
This suite of guidance marks the WP29’s first concerted effort to advise on how the GDPR will work in practice. Although the guidance was officially adopted last week, the WP29 has invited comments from stakeholders so it is unclear whether we should expect further updates.
The WP29 also announced that additional guidance on topics such as Data Protection Impact Assessments and Certification will be issued in 2017. Meanwhile, the UK Information Commissioners Office is expected to issue guidance on the GDPR by the end of 2016. Follow the Latham Global Privacy & Security Compliance Law Blog for further updates and analysis.