28 Apr 3 guidelines issued by Article 29 Working Party

In the issue ICT Insider January 2017, we anticipated that the Article 29 Working Party (“WP29”) issued 3 guidelines on certain aspects related to General Data Protection Regulation (“GDPR”) that had given concerns since the very beginning of their publication. In its last Plenary meeting of this month, WP29 updated and approved the following guidelines:
1 Data Protection Officer (DPO) (Art.37);
2 Right to data portability (Art.20);
3 Identification of a controller or processor’s lead supervisory authority (Art.56);
With this issue of ICT Insider 2017, we will examine more in depth the content of the updates provided by WP29.

On Data Protection Officer
The purpose of these guidelines is to clarify how to apply the provisions of the GDPR in relation to the figure of the Data Protection Officer (“DPO”).
The notion of DPO is not new and it has already been developed in some EU countries, such as, for example, Germany. In the WP29’s opinion, this figure is crucial in building a legal framework which is truly based on the concept of accountability. Whilst from a legal point of view its appointment is mandatory only in certain cases (see further below), WP29 suggests a DPO would also be helpful beyond those required cases.
According to Art. 37 of the GDPR, the figure of the DPO is mandatory in only three cases.
In fact, the controller and the processor shall designate a data protection officer in any case where:
a) the processing is carried out by a public authority or body;
b) the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The guidelines provide clarifications on certain key notions used in the GDPR that must be well understood and put into practice in order to be properly applied.

“Public authority or body”
WP29 specifies that the GDPR does not contain a definition of these expressions, but in terms of interpretation, it is considered appropriate that these are traced to the national laws. It also emphasizes that public office could also be carried out by various entities having private nature, but still falling within the definition above (for example, in the case of public transport or energy supply). Although in this case the obligation could not be met, WP29 still recommends the appointment of the afore-mentioned role.

“The core activities of the controller or the processor”
The concept of “core activities”, as interpreted by WP29, should not be understood as the exclusive activity with respect to which the processing of data comes a second activity. It may also be a non-core business, but in which the data processing represents an inextricable part. For example, the main activity of a hospital is to provide medical care, but this could not be effectively carried out without the use of patients’ sensitive data. Consequently, despite the treatment made by the hospital is not its core activity, it still requires the appointment of the DPO.

“Large scale”
Once again the GDPR does not provide a definition of what should be understood as “large-scale” (despite some references made in some parts of the GDRP such as in Recital 91).
In order to interpret such notion, a number of elements must be considered, such as the number of data subjects involved, the volume of processed data, the duration of the processing activities, the geographic extent of processing etc.
Examples of a large scale may be the processing put in place by a single hospital, tracing people through travel cards of a public transport system, the processing of real time geolocation of customers of a fast food chain for statistical purposes or the processing of customer data in the regular course of business by an insurance company or a bank.
On the other hand, what does not constitute a large scale is the data processing of patients by a single physician or the judicial data processed by an individual lawyer.

“Regular and systematic monitoring”
Again, this is not expressly defined, although invoked elsewhere (i.e. Recital 24) and it certainly includes the tracking and profiling on Internet of the behaviour of data subjects.
A29WP, interprets ‘regular’ as meaning one or more of the following: i) ongoing or occurring at particular intervals for a particular period; ii) recurring or repeated at fixed times; iii) constantly or periodically taking place. “Systematic” in the sense that is part of a system, strategy, pre-organised, organised, methodical, or it is carried out within a general plan for data collection.
Compared to the first draft, these guidelines further specify aspects of the DPO’s role and functions. More precisely:

Accessibility. The DPO must be available physically or through secure communication lines (e.g., e-mail, phone hotlines) that are easily accessible to data subjects and supervisory authorities in their own language. In case of physical presence, A29WP recommends that the DPO is established in the Union territory, admitting that in some circumstances it may also be established outside the EU.

Professionalism and experience. The DPO must have: expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; understanding of the processing operations carried out; understanding of information technologies and data security; knowledge of the business sector and the organisation; ability to promote a data protection culture within the organisation. These requirements also apply to the external DPO (e.g. a law firm) and to all its components.

Resources and independence. The DPO must have: sufficient resources in terms of time and money to fulfil its tasks; access to services and structures that handle personal data within the organisation; active support from senior management and continuous training. In order to perform its function, the DPO must not: receive instructions by the controller or the processor regarding the exercise of the DPO’s tasks; be dismissed or penalised by the controller for the performance of the DPO’s tasks; be in conflict of interest with possible other tasks and duties (e.g., CEO, CFO, Head of Marketing, HR or IT teams).

Functions: As part of these duties to monitor compliance, DPOs may; identify, analyse and verify the compliance of the data processing activities which are performed; inform, advise and issue recommendations to the controller or the processor, including e.g., whether to undertake a Data Protection Impact Assessment, what methodology to follow, whether to outsource this activity, and if its conclusions are correct.
If you want to know more, write here.

On the right to data portability

Main premise to the guidelines on the right to portability provided at Art. 20 is the distinction between the latter and other rights enshrined in the GDPR.

In highlighting the importance of Art.20 of the GDPR, WP29 explains that this right differs from the right of access as “it allows for data subjects to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller”. Moreover, the right to data probability enshrined in GDPR is different from the right of access guaranteed under the Data Protection Directive 95/46/EC because, in the latter, individuals were forced to receive the requested information in a format chosen by the data controller. This new right seems more exhaustive, giving individuals the possibility to easily move, transfer and copy their personal data from one IT environment to another: a key aspect for a better competition among companies.

The main elements of the right to data portability have been clarified by the WP29 under the following points.
1. Data Portability must ensure:
the right to receive and retain personal data on a private device or a private cloud, without necessarily transferring personal data to another data controller;
the right to transmit those data to another data controller without hindrance in order to promote innovation and data sharing in a secure manner with the data subject’s control. In this context, the data controller will not be responsible for compliance with the rules on the protection of personal data by the new data controller, but it will have to ensure that the new data controller actually acts on behalf of the data subject and that the data transmitted are only those that data subject wishes to communicate. Otherwise, the new data controller is not obliged to accept and treat the received data: if he decides to do so, he will only have to deal with the necessary and relevant data for the delivery of the service;
the safeguarding and protection of other rights, excluding the automatic deletion of data.
2. The right to data portability shall apply when:
the conditions set forth in Art. 20.1.a of the GDPR are fulfilled, but not when data are processed for instance in order to fulfil the obligation to prevent crimes by financial institutions.
3. Data subject to portability are:
personal data concerning the data subject, excluding anonymized data. When data refers to third parties (e.g., logs relating to inbound and outbound calls), there is no need to apply a narrower interpretation of this rule;
personal data provided by the data subject, including those derived from the observation of its activities, such as raw data processed by smart meters and related objects activity logs, history of website usage or search activities. This includes: i) data actively and knowingly provided by the data subject (e.g., mailing address, user name, age, etc.); ii) observed data provided by the data subject by virtue of the use of the service or the device (traffic data, location data, raw data such as heart rate detected by a wearable device). Generally speaking, the phrase “provided by the data subject” must be interpreted broadly, excluding “derivative” and “inferred” data among which there are those created by the service provider.
4. Under the general principles governing the exercise of rights:
data subject must be informed about the right to data portability, distinguishing this right from the others recognised by the GDPR: A29WP therefore recommends to disclose which types of data that can be obtained by exercising this right;
for the identification of data subject, the data controller may not request unrelated or unnecessary data;
it is good practice to define the period within which the request for data portability can generally be fulfilled;
the requests of to data portability must always and in any case be met;
the overall costs to implement data portability mechanisms (e.g., through APIs) should not be charged or used to deny the exercise of this right.
5. To transmit data:
data controller must evaluate two different and complementary paths: (i) a direct transmission of the overall dataset of portable data; (ii) an automated tool that allows extraction of relevant data. (e.g., secure messages, SFTP servers, web APIs, web portals);
adequate formats are required to ensure a broad level of data portability, excluding those that require licensing costs. If there are no commonly used formats, data controllers should provide personal data using commonly used open formats (e.g., XML, JSON, CSV, etc.) along with useful metadata at the best possible level of granularity and usage of the data transmitted;
interoperable systems are to be implemented;
measures should be taken to reduce risks (e.g., suspention in case an account has been compromised; in cases of a direct transmission, authentication by mandate, such as token- based authentications) at no extra cost;
data controller must provide information to data subjects about the measures to be taken (e.g. encryption tools) for data protection in their systems.
If you want to know more, write here

On identification of a controller or processor’s lead supervisory authority

As highlighted by WP29, the aim of these guidelines is to assist data controllers and data processors in the identification of the lead supervisor authority.

It is made clear from the very beginning that the lead supervisory authority mechanism is put in place only in the context of cross-border processing. It is therefore necessary to identify whether any cross-border processing is being carried out.

According to Article 4(23) of the GDPR, “cross-border processing” could mean either the:
– processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
– processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

The GDPR does not define the sentence ‘substantially affects’. However, we are informed that Supervisory Authorities will interpret ‘substantially affects’ on a case by case basis. To be taken into account: the context of the processing, the type of data, the purpose of the processing and factors such as whether the processing activities are being performed. A processing that does not have a substantial effect on individuals will not fall within the scope of cross-border processing, as defined by the second part of the above definition.

Furthermore, the Guidelines highlight how to locate controllers and processors in relation to their establishment in the Union. The criteria set in the GDPR is that the main establishment is constituted by controller’s/processor’s central administration in the EU where decisions about the purposes and means of the processing of personal data are taken, even though “the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment” (Recital 36 of the GDPR).

With regards to the controller, according to Article 56 of the GDPR, the supervisory authority of the country where the main establishment of the organization is based will be the lead authority. The factors below are useful for determining the location of a controller’s main establishment:

–        Does it have a single establishment in the EU?
If so, and if the processing substantially affects or is likely to substantially affect data subjects in more than one Member State, the lead supervisory authority is the supervisory authority of the place of that single establishment.

–        Does it have an EU headquarters?
If so, it must be determined its role and what decisions about the purposes and means of the processing are taken within this establishment and if this establishment has the power to implement decisions concerning the processing activity.

With regards to the processor, the GDPR also allows data processors that are subject to the GDPR, and have establishments in more than one Member State, to benefit from the one-stop-shop system.

The Guidelines stress that there could be borderline and complex situations where it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration in the EU and none of the EU establishments are taking decisions about the processing, as for example when decisions are taken exclusively outside of the EU.

In these circumstances, the Guideline state, the pragmatic way to deal with this would be for the data controller to designate the establishment that will act as its main establishment. Alternatively, the competent supervisor authority will take a decision over this issue. One more issue is when a case involves both controller and processor with establishment in different countries, since also the processor that are subject to the GDPR, and have establishments in more than one Member State, may benefit from the one-stop-shop system: if so, the competent lead supervisory authority should be the lead supervisory authority for the controller (Recital 36 of the GDPR).

The WP29 lists also a set of detailed questions, helpful to identify the lead supervisory authority in case of doubt.
If you want to know more, write here