Data protection continues to be a key area of focus for the EU legislator. One of the most topical and widely anticipated legal tools in this regard is the European Data Protection Regulation of 27 April 2016 (Regulation (EU) 2016/679) (GDPR). This robust tool will enter into force in May 2018 and may well have a variety of implications for your business.
In anticipation of this upcoming regulation, the common body of European data protection authorities, the Working Party 29 (WP29) issued some new guidance on the concept of data portability and data protection officers as well as the lead supervisory authority.
The GDPR will empower data subjects with stronger rights to control their data. One of the new rights is data portability. It allows data subjects to receive the data they knowingly and actively provided to the controller. Besides empowering data subjects regarding their own personal data, one of the main aims of this right is also to facilitate the ability to move, copy or transmit personal dataeasily from one IT environment to another. From a wider perspective, the EU is aiming to use this right to encourage innovations, thereby promoting new business models linked to more data sharing under the data subject’s control. According to the WP29, however, inferred and derived data are excluded from the scope of this right. In any event, the WP29 is encouraging businesses to adopt application interferences (API) for this right to be effectively implemented. There will, however, be no obligation to create interoperable systems between controllers. Nevertheless, controllers are to ensure the data security of the transfers and may still be subject to post-transfer data subject obligations.
Regarding Data Protection Officers (DPOs), the GDPR will mandate their nomination, for example for large scale processing or cases in which the core activities of the controller involve data processing. The WP29 is encouraging a broad interpretation of these notions and is also recommending the nomination of a DPO even in cases in which the controller would not fall under the mandatory nomination regime. Also, even for a processor, nominating a DPO may be a good practice. The WP29’s guidance covers the nomination, skills and level of expertise of DPOs. The DPOs appear crucial in facilitating compliance, for implementing data protection measures and for fostering a data protection culture. Yet, the WP29 has confirmed that liability in these matters rests with controllers and processors.
Lead supervisory authority
The GDPR introduces the concept of a “one-stop-shop” for handling data protection related complaints. The lead authority is to act as the main responsible authority and coordinate the handling of the complaint in cross-border cases. As a rule, there will only be one lead authority per case. The determination of which supervisory authority will assume this role depends mainly upon the main establishment of the controller or processor. A lead supervisory scenario can also arise in cases in which the controller’s or processor’s activities substantially affects or is likely to substantially affect data subjectsin more than one Member State. The WP29 has stated that these cases will be subject to case-by-case interpretation with a number of different factors being taken into account. There may also be situations where more than one lead authority can be identified. Furthermore, the WP29 has also provided some criteria for identifying the main establishment in cases where no place of central administration in the EU exists. However, some borderline situations are also likely to arise. In any event, the WP29 strongly advocates the view that national supervisory authorities are to co-operate with each other. In addition, if the lead supervisory authority refuses to handle the case for any reason, the concerned supervisory authority would then be called upon to take the lead.
In the light of the above, the impact of data portability might be greater than first thought. Furthermore, with the entry into force of the GDPR, the WP29 itself will be replaced by a new European Data Protection Board. Many other issues are still likely to receive new recommendations and other guidance as many concepts in the GDPR remain broadly defined and their application can vary depending on the industry, strategy and size of the company in question.
The Borenius Data Protection Team will ensure your company is up to speed with these topics, so do not hesitate to contact us.