Tag Archive: GDPR

NORWAY: Preparing to implement the GDPR – Draft for new Personal Data Act

By Jan Sandtrø, Partner, Norway

Last week the new Personal Data Act for implementing the GDPR in Norway was published. Norway has taken a similar approach to, for example, Ireland in translating the GDPR into Norwegian, but there are also some additional regulations proposed which are specific to Norway.

The specific regulations for Norway are proposed in the new Personal Data Act and include regulation based on the GDPR, as well as taking advantage of the margin of maneuverability to allow for the continuance of some of Norway’s existing legislation.

These are:

  • Sensitive data. As a general rule, use of “sensitive data” (special categories of personal data) will be prohibited, however it is proposed that the Data Inspectorate may authorize the processing of sensitive personal data where the processing is in the public interest.
  • Use of personal ID numbers. The rights regarding processing of ID numbers for physical persons and other national identification numbers are continued as under the previous act, meaning that personal ID numbers may only be used where there are reasonable grounds to require proper identification and the use of personal ID numbers is necessary for such identification.
  • Age limit for information society services. The minimum age for consent for information society services is set at 13 years of age (which is the same as in e.g. Sweden and Denmark).
  • Exceptions from a duty to provide information to registered persons under the GDPR are limited to some extent in the interests of protecting the public interest and the registered persons.
  • Confidential duties of DPOs. Additional duties of confidentiality are imposed on Data Protection Officers.
  • One-stop-shop. A data controller active in multiple EU countries may use the supervisory authority in the country where it has its main establishment for all personal data matters in the EU and EEA, including for data controllers processing Norwegian personal data where the controller is established in another EU/EEA state.
  • Surveillance cameras. There is a separate regulation on the use of surveillance cameras (CCTV) in the workplace and the use of dummy surveillance equipment. However, the detailed regulation under Norwegian law on the use of surveillance cameras will be repealed.
  • Credit information. The specific rules on credit information activities under the current regime are not continued, and the way credit information activities are regulated will be addressed by the Ministry at a later point.
  • Employer access to email etc. The specific Norwegian regulation on restrictions for employers’ access to emails and other electronic files used by employees on supplied hardware and systems will remain in force, with some minor adjustments.
  • Additional regulation. There will be additional regulation on the requirement to have a Data Protection Officer in place and the duty for the data controller to have advance approval by the Data Inspectorate on certain types of processing. However, no proposal on such regulation has been published yet.

Please also note that the previous regime on notification and the requirement of concessions in Norway will cease (however concessions given under the present Personal Data Act will remain in effect until the concessions expire). The previous penalties for breach of the Personal Data Act as an offence are removed, however a high level of administrative fines (up to four percent of annual global turnover or EUR 20 million, whichever is greater) according to the GDPR will be implemented.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/norway-preparing-to-implement-the-gdpr-draft-for-new-personal-data-act/

GLOBAL: GDPR – One Year to Go!

It is one year to the day until the European General Data Protection Regulation comes in to force. The clock is now ticking to fines of up to 4% of total worldwide annual revenue for failing to comply with the requirements of the EU GDPR. To assist your organisation with preparing for 25 May 2018 we have developed a suite of useful tools.














Explore GDPR Mobile App

  • Our Explore GDPR mobile app is now available for downloading from both Apple’s App Store and Google Play. The app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. It not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

GDPR Microsite

  • We maintain a dedicated GDPR microsite where you can find useful information to help you learn about the EU GDPR – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events. You will also find our summary Guide to the GDPR which many organisations find to be a helpful quick guide to the key requirements of the GDPR.

Data Protection Officer Training Academy

  • We have developed a Data Protection Officer Training Academy aimed at IT, compliance and legal professionals, or those taking on the role of Data Protection Officer. The course provides practical, interactive guidance on how to establish and manage compliance as a DPO, consistent with the many requirements of the GDPR.

Data Privacy Scorebox

  • Our Data Privacy Scorebox is an online tool to help you assess your data protection maturity level. It requires completing a survey covering areas such as storage of data, use of data, and customers’ rights. Once completed, a report summarising your organisation’s alignment with 12 key areas of global data protection is produced. The report also includes a practical action point check list and peer benchmarking data.

Data Protection Laws of the World Guide

  • Our Data Protection Laws of the World Guide offers a succinct overview of the areas of data protection law that have the most practical significance to businesses. The Handbook covers over 90 jurisdictions.

About DLA Piper’s Data Protection, Privacy and Security Group
The DLA Piper Data Protection, Privacy and Security Group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-gdpr-one-year-to-go/

AUSTRIA: Draft GDPR Implementation Act

On 12 May 2017 a Draft GDPR Implementation Act (“Draft“) has been submitted to the Austrian Parliament and is now to be reviewed, assessed and commented by various public bodies, organisations and groups.

With the GDPR Implementation Act the present Data Protection Act 2000 (Datenschutzgesetz 2000) will be repealed and a new Data Protection Act is issued which will become effective on 25 May 2018.

General overview

At first glance the Draft covers only a bare minimum of implementation: the major part of the Draft includes only the provisions necessarily required by the GDPR, but only few of the facultative opening clauses are actually included. A large part of the Draft concerns only the implementation of Directive 2016/680.

The review of the explanatory notes confirms this first impression as they state that the Draft shall mainly include the necessary implementation of the GDPR and only few of the opening clauses. The ministerial working party has deliberately not used the openings within the GDPR as it is their opinion that the GDPR is already providing a general rule which shall now apply without further specification in Austria.

Furthermore, in the explanatory notes it is stated that the majority of the opening clauses do not address general data protection matters and are therefore not to be included in the Draft. The ministerial working party was of the opinion that such “special” opening clauses should rather be implemented within the relevant specific laws, e.g. (presumably) Employment Act or Criminal Act.

On the other hand, the concern that the Austrian legislator will retain certain specific regulations of the current Data Protection Act 2000, which would not comply with the GDPR, has not been fulfilled due to the very minimalistic approach the ministerial working party took. As such, the various provisions of the Data Protection Act 2000 which were specific to Austria, such as the filing procedure or an obligation to obtain approval of the Data Protection Authority for an international data transfer even if the EU Model Clauses have been concluded, are not included in the Draft and will presumably not be part of the Austrian law anymore.

Scope of applicability and general provisions

The major change of the Austrian law which is implemented by the Draft is that, following the scope of applicability of the GDPR, its applicability is limited to natural persons, meaning legal persons are no more included in the material scope as they are now in the currently applicable Data Protection Act 2000. In this point as well the Draft follows the provisions of the GDPR.

In its first section the Draft also stipulates the fundamental right to data protection, which has already been included in the current Data Protection Act 2000. In both versions it is formulated as a constitutional provision and as a human right, but the new wording is more comprehensible than the previous one. Furthermore, as the GDPR does not apply to legal persons, the scope of the fundamental right in the Draft has also been limited to natural persons.

Data protection officers and Data Protection Authority

The first of the main implementation aspects of the Draft are the specifications regarding data protection officers. The Draft states an explicit duty of confidentiality for data protection officers, even though this shall not apply to information requests of the Data Protection Authority. Further, the Draft is providing additional provisions regarding the data protection officer in the public sector.

Another main aspect of the Draft is the specification of the supervisory authority, which will be the Data Protection Authority (“Datenschutzbehörde“) organized as the sole national supervisory authority.

Remedies, Liability And Penalties

The third section of the Draft provides specifying provisions regarding the implementation of remedies, liability and penalties. The implementation of administrative fines provides to a certain extent a possibility to impose fines primarily to legal persons, however in a very limited manner.

Thereunder, the Data Protection Authority shall only be able to impose a fine on a legal person if one of its organs holding a management position is subject to a negligence or breach of supervision. As of the scope of this provision the ministerial working party refers in its explanatory notes to a similar provision within the Austrian Banking Act (“Bankwesengesetz“), whereby the primary liability of the legal person only applies where organs of the legal person are concerned and not when an employee is acting on instructions. Therefore this limitation may not be in accordance with the GDPR as it is not providing an opening clause for the Member State to implement such limitation.

That said, the GDPR also does not specify how the remedies, liability and penalties provisions must be implemented as concerns the responsible persons, beyond the requirement that the remedies are “effective”, so it remains to be seen whether and how this manner of implementation is in line with the GDPR.

Processing for Specific Purposes

The provisions within section 5 of the Draft address data processing for specific purposes, as stated in Article 6 Sec 2 GDPR, and address points such as processing for the purpose of scientific research and statistics or in case of catastrophes.

This is one of the rare occasions in which the ministerial working party has made use of an opening clause. Unfortunately, the ministerial working party did not use the other opening clauses where in our opinion the GDPR is rather incomplete and further national legislation seems necessary. This concerns in particular the opening clauses provided in Articles 6 Sec 4 (processing for compatible purposes set out by member state law), 9 (processing of special categories of personal data) and 10 (processing of personal data relating to criminal convictions and offences) of the GDPR, even though this would have been necessary due to the very general regulation of the GDPR. It remains to be seen whether such provisions will be included in other laws; however, it is our opinion that provisions implementing the above mentioned opening clauses should in any case be included in the Draft itself and not in other laws as the ministerial working party suggests.

Processing of Employees Data

Similarly, as concerns employee data the Draft is providing only a provision stating that the existing provisions of the Employment Act (“Arbeitsverfassungsgesetz“) shall fulfil the requirements of Article 88 GDPR. According to the explanatory notes the ministerial working party wanted to clearly express with this provision that the specifics of processing employee data shall not be included in the Draft but rather in the relevant labour laws. It remains to be seen whether the legislator will stand by this decision and create provisions in the relevant laws or if there will be a modification in the Draft.

Video Surveillance / Processing of Image Data

It is quite surprising that the ministerial working party found it to be necessary to include in section 6 of the Draft provisions regarding the processing of images and video surveillance, especially in light of the very minimalistic approach implementing the GDPR. The explanatory notes explain the implementation to be based on Article 6 Sec 2 and 3 in connection with Article 23 GDPR, even though we have major doubts this approach is in line with the GDPR. It is at least our opinion that a clarification regarding the processing of data related to criminal convictions and offences or employee data would have been of greater importance than the processing of images.

Conclusion and outlook

To summarize, the Draft is taking a very minimalistic approach implementing the GDPR and leaves open many vital issues. As such, the Draft leaves the impression that the main intention was to initiate the legislative procedure and the discussion on the implementation, whereas the majority of important decisions regarding the implementation are postponed. Therefore, it remains to be seen how this draft will develop during the legislative procedure, but we are expecting either major amendments before the law is passed or further implementation actions amending other statutory laws.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/austria-draft-gdpr-implementation-act/

ITALY: The privacy authority issues its guidelines on the GDPR

The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-the-privacy-authority-issues-its-guidelines-on-the-gdpr/

GLOBAL: The GDPR at your fingertips – our new app

We are delighted to announce the launch of DLA Piper’s new Explore GDPR mobile app! It is now available for downloading from Apple’s App Store and Google Play.

The Explore GDPR mobile app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. The app not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

It is suitable for use on smartphones and also works particularly well on tablets. After downloading the app the content is available even when you are offline.

The text is available in 13 languages, including Czech, Dutch, English, Finnish, French, German, Hungarian, Italian, Polish, Romanian, Slovakian, Spanish and Swedish.

The app requires iOS 8.1, Android 4.1, or later.

Privacy Matters GDPR App


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-the-gdpr-at-your-fingertips-our-new-app/

The Netherlands: DPA published phased plan to prepare for GDPR

By Richard van Schaik and Róbin de Wit

Last week, the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) published a step-by-step plan for organiations to prepare for the upcoming GDPR. The plan, consisting of 10 steps, reads as follows.


  1. Awareness

As a first step, key players within the organization (e.g. policymakers) need to be aware of the upcoming set of rules. They must assess the impact of the GDPR on current processes, services and products and the adjustments necessary to meet the requirements under the GDPR.

The AP stresses that the implementation of GDPR requirements may be time-consuming. Therefore, the AP strongly recommends to commence as soon as possible with identifying compliance gaps and implement GDPR-proof solutions.


  1. Rights of individuals

Secondly, the AP points out that individuals have more rights under the GDPR in view of their personal data. Therefore, processes that enable individuals to actually exercise such rights should be implemented. Organizations are strongly encouraged to create their own (technical) means to obey requests of individuals, including data portability requests.

The AP emphasizes that individuals may file complaints with the AP regarding the handling of their personal data. The AP is obliged to take each complaint into consideration and to start enforcement action where appropriate.


  1. Records of processing activities

Furthermore, organizations should map their processing activities as the GDPR requires organizations to maintain a record of processing actions that fall under their responsibility. Such records should not only contain information about e.g. the purposes of processing, data subjects involved and the personal data processed, but each category of personal data should also specify the legal basis for processing.


  1. Privacy Impact Assessment (PIA)

As a fourth step, organizations are encouraged to conduct PIA’s in order to identify privacy risks associated with data processing activities. PIA’s serve as a useful tool to identify compliance gaps and take subsequent actions in order to reduce enforcement risks.

The AP stresses that PIA’s are especially valuable with a view to high-risk processing activities, such as activities involving sensitive data.

Also, if an organization is unsuccessful in finding measures to mitigate privacy risks, consultation with the AP is required prior to the start of the relevant processing undertakings.


  1. Privacy by design & privacy by default

In addition, awareness shall be created within the organization where it comes to the principles of ‘privacy by design’ and ‘privacy by default’. Also, it must be verified how these principles should be implemented.

For example, organizations must take measures to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). The AP clarifies that this means that, e.g.:

  • apps may not process the location of users if such processing is not necessary;
  • tickboxes related to marketing may not be pre-ticked;
  • in case of newsletter subscriptions, organizations may not request to fill out more data than necessary in view of the newsletter request.


  1. Data Protection Officer (DPO)

Organizations may be obliged to appoint a DPO. The AP encourages organizations to identify whether they are subject to this requirement.

If yes, the recruitment and selection procedure should start in due course.

If no, organizations may want to choose to appoint a DPO after all.


  1. Data breach notification duties

The obligation to report data breaches (with the AP and, under circumstances, individuals) will remain largely the same under the GDPR. However, the GDPR contains stricter rules as to the internal recordkeeping of data breaches. All breaches must be documented so that the AP is able to verify that mandatory notification duties have been complied with.

Organizations should make necessary preparations in that respect, and also create data breach awareness amongst employees.


  1. Data processing agreements

As a following step, the AP points out that existing data processing agreements should be examined in order to ensure that the agreements are still adequate and meet the stricter requirements under the GDPR. If not, necessary changes should be agreed upon in time.

Where relevant, new data processing agreements should be drafted with a view to the GDPR requirements.


  1. Lead supervisory authority

If an organization has multiple establishments throughout EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority for the cross-border processing. Organizations are encouraged to identify the lead supervisory authority applicable to them.


  1. Consent

As a final step, the AP indicates that the GDPR stricter rules apply to the reliance on consent as the legal basis for processing. Therefore, organizations should evaluate the manner in which consent is requested, obtained and registered, and should amend where necessary.

Also, organizations should be able to demonstrate that valid consent has been obtained from individuals to process their personal data. Moreover, it must be as easy to withdraw consent as to give it. Therefore, organizations should have appropriate (technical) tools in place to make sure stricter consent requirements under the GDPR are observed.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-dpa-published-phased-plan-to-prepare-for-gdpr/

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)


On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”).

The abolishment under GDPR of registrations and filings with data protection authorities will represent fundamental shift of the data protection compliance framework in France., which has been heavily reliant on declarations to the CNIL and authorizations from the CNIL for certain types of personal data processing. In place of declarations, the CNIL underscores the importance of “accountability” and “transparency”, core principles that underlie the GDPR requirements. These principles necessitate taking privacy risk into account throughout the process of designing a new product or service (privacy by design and by default), implementing proper information governance, as well as adopting internal measures and tools to ensure optimal protection of data subjects.

In order to help organizations get ready for the GDPR, the CNIL has published the following 6 step methodology:


Step 1: Appoint a data protection officer (“DPO”) to “pilot” the organization’s GDPR compliance program

Pursuant to Article 37 of the GDPR, appointing a DPO will be required if the organization is a public entity; or if the core activities of the organization require the regular and systematic monitoring of data subjects on a large scale, or if such activities consist of the processing of sensitive data on a large scale. The CNIL recommends appointing a DPO before GDPR applies in May 2018.

Even when a DPO is not required, the CNIL strongly recommends appointing a person responsible for managing GDPR compliance in order to facilitate comprehension and compliance in respect of GDRP, cooperation with authorities and mitigation of risks of litigation.

Step 1 will be considered completed once the organization has appointed a DPO and provided him/her with the human and financial resources needed to carry out his/her duties.


Step 2: Undertake data mapping to measure the impact of the GDPR on existing data processing

Pursuant to Article 30 of the GDPR, controllers and processors will be required to maintain a record of their processing activities. In order to measure the impact of the GDPR on existing data processing and maintain a record, the CNIL advises organizations to identify data processing, the categories of personal data processed, the purposes of each processing, the persons who process the data (including data processor), and data flows, in particular data transfers outside the EU.

To adequately map data, the CNIL recommends asking:

  • Who? (identity of the data controller, the persons in charge of the processing operations and the data processors)
  • What? (categories of data processed, sensitive data)
  • Why? (purposes of the processing)
  • Where? (storage location, data transfers)
  • Until when? (data retention period)
  • How? (security measures in place)

Step 2 will be considered completed once the organization has identified the stakeholders for processing, established a list of all processing by purposes and categories of data processed, and identified the data processors, to whom and where the data is transferred, where the data is stored and for how long it is retained.


Step 3: Based on the results of data mapping, identify key compliance actions and prioritize them depending on the risks to individuals

In order to prioritize the tasks to be performed, the CNIL recommends:

  • Ensuring that only data strictly necessary for the purposes is collected and processed;
  • Identifying the legal basis for the processing;
  • Revising privacy notices to make them compliant with the GDPR;
  • Ensuring that data processors know their new obligations and responsibilities and that data processing agreements contain the appropriate provisions in respect of security, confidentiality and protection of personal data;
  • Deciding how data subjects will be able to exercise their rights;
  • Verifying security measures in place.

In addition, the CNIL recommends particular caution when the organization processes data such as sensitive data, criminal records and data regarding minors, when the processing presents certain risks to data subjects (massive surveillance and profiling), or when data is transferred outside the EU.

Step 3 will be considered completed once the organization has implemented the first measures to protect data subjects and has identified high risk processing.


Step 4: Conduct a privacy impact assessment for any data processing that presents high privacy risks to data subjects due to the nature or scope of the processing operations

Conducting a privacy impact assessment (“PIA”) is essential to assess the impact of a processing on data subjects’ privacy and to demonstrate that the fundamental principles of the GDPR have been complied with.

The CNIL recommends to conduct a PIA before collecting data and starting processing, and any time processing is likely to present high privacy risks to data subjects. A PIA contains a description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to data subjects, and measures contemplated to mitigate the risks and comply with the GDPR.

The CNIL has published guidelines in 3 volumes to help organizations conduct PIAs (see here, here and here).

Step 4 will be considered completed once the organization has implemented measures to respond to the principal risks and threats to data subjects’ privacy.


Step 5: Implement internal procedures to ensure a high level of protection for personal data

According to the CNIL, implementing compliant internal procedures implies adopting a privacy by design approach, increasing awareness, facilitating information reporting within the organization, responding to data subject requests, and anticipating data breach incidents.

Step 5 will be considered completed once the organization has adopted good practices in respect of data protection and knows what to do and who to go to in case of incident.


Step 6: Document everything to be able to prove compliance to the GDPR

In order to be able to demonstrate compliance, the CNIL recommends that organizations retain documents regarding the processing of personal data, such as: records of processing activities, PIAs and documents regarding data transfers outside the EU; transparency documents such as privacy notices, consent forms, procedures for exercising data subject rights; and agreements defining the roles and responsibilities of each stakeholder, including data processing agreements, internal procedures in case of data breach, and proof of consent when the processing is based on the data subject’s consent.

Step 6 will be considered completed once the organization’s documentation shows that it complies with all the GDPR requirements.


The CNIL’s methology includes several useful tools (template records, guidelines, template contract clauses, etc.) and will be completed over time to take into account the WP29’s guidelines and the CNIL’s responses to frequently asked questions.


For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-publishes-6-step-methodology-for-compliance-with-gdpr/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

DLA Piper Italy and AIGI event on the General Data Protection Regulation

DLA Piper Italy and AIGI will run an event on how the General Data Protection Regulation will impact the business of companies on 16 February 2017. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.


Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.




Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

Older posts «