As we enter 2017, 2018 doesn't seem that far away...and with
the new General Data Protection Regulation (GDPR) due to come into
effect from 25 May 2018, organisations are running out of time to
ensure compliance with the new data protection requirements. It is
therefore not surprising that the Article 29 Working Party
("Working Party") is already issuing guidance.
Here, we discuss the Working Party's recent guidelines on:
The right to data portability
The role of the data protection
The establishment of the lead
With the aim of providing greater control to users and
consumers, the GDPR introduces the new right to data portability
(article 20). The new right requires controllers to inform
individuals about their right to data portability: the right to
receive their personal data in a structured, commonly used and
machine-readable format and to transmit them to another
The guidance covers the following:
The main elements of data portability
(including the right to receive personal data, the right to
transmit personal data from one controller to another controller,
and the impact of data portability on other rights under the
When the right applies (i.e., the
criteria which needs to be satisfied)
The need to inform individuals of the
availability of the new right to data portability (articles 13 and
How the portable data is to be
provided (including expected data format, large and complex data
sets and security of portable data)
The Working Party "encourages cooperation between industry
stakeholders and trade associations to work together on a common
set of interoperable standards and formats" to deliver these
Data Protection Officer (DPO)
Although the Working Party has not specified what professional
requirements are necessary for the appointment of a DPO, it does
stress that DPOs should have a level of expertise
"commensurate with the sensitivity, complexity and amount of
data an organisation processes". The guidance also clarifies
that a DPO will not be personally liable for any non-compliance
with the GDPR.
In particular, the guidance covers:
Designation of a DPO (mandatory
The position of the DPO
(independence, necessary resources and conflicts of interests)
The tasks of the DPO (monitoring
compliance with GDPR, data protection impact assessments,
risk-based approach, and record-keeping)
Lead Supervisory Authority
The lead supervisory authority is the authority responsible for
dealing with a cross-border data processing activity, which
includes, for example, when an individual makes a complaint about
how their personal data is being processed. The lead supervisory
authority will manage any investigation which might include other
The recent guidance looks at how the main establishment is to be
ascertained. The guidance provides:
The main establishment would
typically be in the EU Member State where the organisation has its
central administration; however, there may be instances where other
establishments in the organisation have autonomy over decisions
regarding the purposes and means of processing
The location of where these decisions
are made would determine the 'main establishment'. It is
worth noting that there can be instances where more than one lead
supervisory authority is identified
As May 2018 approaches...
It's comforting to see that the Working Party is meeting its
objectives set out in its action plan earlier last year, including
issuing guidance to controllers and processors. This will enable
organisations to have a firmer grasp of the required expectations
regarding a number of rights and obligations under the GDPR. Also,
the Working Party has said that it wants "to launch a
permanent, regular consultation process" with businesses and
civil society, which will allow the Working Party to observe
whether its action plan is working.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).