EU Data Protection Authorities Provide Useful Guidance on the GDPR

Author: Erkko Korhonen

On Tuesday 13 December, the Article 29 Working Party (an independent European advisory body on data protection and privacy, comprising of representatives of national data protection authorities) published its first set of guidelines on the General Data Protection Regulation (the “GDPR”). The guidelines and associated FAQ cover the following areas:

1. Right to data portability (Guidance on Data Portability / FAQ)

1. Data protection officer (Guidance on DPO / FAQ)

1. Identifying data controller’s and processor’s Lead Supervisory Authority (Guidance on Lead Supervisory Authority / FAQ)

In this blog post, we are briefly outlining the first two.

1. Data Portability

Under the GDPR (Art. 20), data portability is defined as data subject’s right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided.

According to the WP29’s opinion, the term “provided by the data subject” must be interpreted broadly. Thus, in addition to the data actively and knowingly provided by the data subject, such “provided” data also include the personal data generated by and collected from the activities of the users. According to the WP29, a person’s search history, traffic data, and location data are regarded to be ‘provided by the data subject’. However, the personal data generated by the data controller as part of the data processing, e.g. by user categorisation or profiling, are data derived or inferred from the personal data provided by the data subject, and are therefore not covered by the right to data portability.

It should also be borne in mind that in order to fall under the scope of data portability, processing operations must be based either on i) the data subject’s consent or ii) a contract to which the data subject is a party. Thus, the GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract. However, according to the WP29, data portability is regarded as a good practice in case of processing based on the legal ground of necessity for a legitimate interest. In addition, the right to data portability only applies if the data processing is “carried out by automated means”, and therefore does not cover paper files.

The WP29’s guidelines also provide guidance on how and when the data subjects should be informed about the right to data portability, how a data subject requesting the data can be identified, and how the data should be provided to the data subjects.

2. Data Protection Officer

The GDPR requires the designation of a DPO in three specific cases:

1. where the processing is carried out by a public authority or body (irrespective of what data is being processed);

1. where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; and

1. where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. The WP29 has stated that the “core activities” can be considered the key operations necessary to achieve the controller’s or processor’s goals. However, not all the activities can be considered “core activities” although activities might be essential for the organisation, for example, payroll and IT support functions.

Both sections b) and c) refer to “core activities” consisting of processing on a “large scale”. The WP29 guidelines aim to provide guidance on how these terms should be interpreted.

As regards the ‘large scale’ processing, the WP29 recognises that it is not possible to give a precise number either with regard to the amount of the data processed or the number of individuals concerned which would be applicable in all situations. However, this does not exclude the possibility that, over time, a standard practice may develop for specifying in objective, quantitative terms what constitutes “large scale” in respect of certain types of common processing activities. In its guidance, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:

• The number of data subjects concerned - either as a specific number or as a proportion of the relevant population

• The volume of the data and/or the range of different data items being processed

• The duration, or permanence, of the data processing activity

• The geographical extent of the processing activity

In addition, the WP29’s guidance provides information on DPO’s required level of expertise and professional qualities, as well as on tasks and position in general. The necessary skills and expertise include: i) expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; ii) understanding of the processing operations carried out; iii) understanding of information technologies and data security; iv) knowledge of the business sector and the organisation; and v) ability to promote a data protection culture within the organisation.

It is mentioned that the DPO should get not only the active support for the DPO’s function from the senior management (e.g. at board level) but also adequate support in terms of financial resources, infrastructure (premises, facilities, equipment), and staff, where appropriate. In general, the more complex and/or sensitive the processing operations, the more resources should be given to the DPO.

It should be noted that DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR. However, the DPO is a key player in the new data governance system and the GDPT lays down the conditions for the appointment, position, and tasks of the DPO.

In addition to the WP29’s guidance, the Irish Data Protection Commissioner (DPC) has also issued guidance on compliance with GDPR for the purpose of helping the companies in their preparation for the GDPR. The DPC has urged the companies (both data controllers and data processors) to immediately start preparing for the implementation of GDPR by carrying out a “review and enhance” analysis of all current or envisaged processing in line with the GDPR.

During the upcoming six months, we are expecting to see more and more guidance and interpretations from the WP29, as well as from national data protection authorities. We at Hannes Snellman are regularly monitoring the progress of the GDPR preparations and will provide you with the latest information.