Thursday, 22 December 2016
After its plenary meeting on 13 December 2016, the Article 29 Data Protection Working Party (“WP29”) announced some developments related to the implementation of the EU–US Privacy Shield.
The WP29 has adopted specific communication tools for both individuals and businesses. It will publish these tools on its website so that national Data Protection Authorities (“DPAs”) can use them as a resource.
The WP29 has also confirmed that it will take on the role of “EU centralised body”, the European Union (“EU”) individual complaint-handling body that was established under the Privacy Shield. Its role is to direct complaint requests about data transferred to the US for commercial purposes and further accessed for national security purposes.
In addition, after “auditioning” US government representatives relating to the Privacy Shield Ombudsperson, the WP29 emphasised the importance of working together closely with its US counterparts on the practical aspects of the Privacy Shield. It has also continued to consider the content of the joint annual review of the Privacy Shield that the European Commission and DPAs will perform in 2017.
If you need any advice about what effect the EU-US Privacy Shield might have on your organisation’s policy for transferring personal data to and from the US, please don’t hesitate to contact Pritchetts.
On 15 December 2016, the Article 29 Data Protection Working Party (“WP29”) issued guidelines and frequently asked questions (“FAQs”) for implementing the General Data Protection Regulation (“GDPR”). These included:
- Guidelines and FAQs for identifying a data controller or data processor’s lead supervisory authority.
Let’s take a look at each element of the guidelines:
- Data portability. Article 20 of the GDPR creates a new right to data
portability, which aims to empower data subjects regarding their own personal
data as it facilitates their ability to receive, move, copy or transmit
personal data easily from one IT environment to another. This new right will
also support the free flow of personal data in the European Union (“EU”), fostering competition between data
controllers and facilitating switching between different service providers.
The WP29 considers that the right to data portability covers data provided knowingly by the data subject, as well as the personal data generated by his or her activity. The right to data portability cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.
If your business holds customer data, you should be considering now how to adapt or implement systems to enable data portability before it becomes a legal requirement in May 2018. By sorting this out now, you can avoid the expense of retrofitting a solution later.
- Data Protection Officers. The WP29 has said, “the DPO is a cornerstone of accountability and … appointing a DPO can
facilitate compliance and furthermore, become a competitive advantage for
If your business is required to appoint a DPO, or has chosen to appoint a DPO, you will need to consider how you budget for the time, expense and structural change that will be required to ensure that you can comply with the GDPR. In particular, you will need to ensure that your DPO:
- Is sufficiently autonomous, and there is no conflict of interest.
- Has adequate professional qualities, and expert knowledge of data protection law and practice.
- Is “easily accessible” to data subjects, supervisory authorities and internally, for example, by being able to communicate in the relevant local languages.
- Is given sufficient resources to fulfil their role as DPO (for example, active support by senior management, general awareness within the business, sufficient time to fulfil their tasks, adequate budget and staff and ongoing training).
- Is involved from the earliest possible stage in all issues relating to data protection (in particular, when carrying out Data Protection Impact Assessments).
The WP29 has provided guidance on when it would be mandatory to appoint a DPO, looking at what the terms “core activities” and “large scale” are intended to cover. It has given the example of a security firm using CCTV, which would mean that its processing activities were inextricably linked to its core activity, so the firm would require a DPO. Further, a company’s processing of employee data or provision of internal IT support is a support function, not part of the core activity itself, so it would not necessarily trigger a requirement for a DPO.
- Lead supervisory authorities. Where a data controller or data processor
performs data processing across different Member States, or where the
processing of an organisation significantly affects data subjects in more than
one Member State, such cross-border processing activity is usually supervised
by one authority called the lead supervisory authority. However, if a data controller
performs data processing about the residents of a Member State within that
Member State (in which case, no cross-border processing is taking place), the data
controller will need to deal with the lead supervisory authority in every
Member State in which it is active.
Given that each Member State will be permitted derogations from the GDPR, staying on top of the detailed rules and variations that apply to any business you may do outside your home country, but within the EU, will be a tricky matter.