News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | WP29’s final word on DPOs, data portability, and the one-stop shop Related reading: Notes from the Asia-Pacific region, 19 April 2024

rss_feed

""

""

On April 5, 2017, the Article 29 Working Party adopted revised versions of its guidance on data protection officers, the right to data portability, and identifying a lead supervisory authority under the GDPR. The IAPP reported on the draft guidance documents when they were first published. The revised guidance documents incorporate changes based on the WP29’s consultation with stakeholders after publication of the original drafts. Generally, the changes are minor, but the WP29 has provided a few significant clarifications.

We have grouped them below to highlight those changes privacy pros should particularly note:

DPO Readiness

Much of the WP29’s guidance on the requirement to appoint a DPO was not significantly changed in this revision. Specifically, the revision does not significantly change the WP29 guidance on the definition of “core activities,” “large scale,” “regular and systematic monitoring,” or “public authority or body.” However, there are a few notable adjustments.

The DPO should be located in Europe

The revised guidance adds the following recommendation about the location of the DPO: “To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union.” As a possible exception, the WP29 allows that in some situations, “where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.”

Scope of a DPO’s responsibility

The revised document adds the following: “The DPO, whether mandatory or voluntary, is designated for all the processing operations carried out by the controller or the processor.”

The DPO reports directly to the highest management level

Generally, the revised guidance does not change the WP29’s recommendations regarding DPO qualifications. But the WP29 has added language drawing attention to the requirement under Article 38(3) that the DPO “shall directly report to the highest management level of the controller or the processor.” The WP29 explains, “Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.”

Data-driven marketing activities

The revised guidance adds “data-driven marketing activities” to the WP29’s list of example activities that may constitute a “regular and systematic monitoring” of data subjects, which, if engaged in on a “large scale” requires the designation of a DPO. The list already included examples ranging from operating a telecommunications network to monitoring wellness data via wearable devices.

Data Portability

Competition is not the primary purpose

Removing language about facilitating switching as the “primary aim” of data portability, “thus enhancing competition between services,” the revision clarifies that the “GDPR is regulating personal data and not competition.” Therefore, any benefits to competition are incidental. “In particular, article 20 does not limit portable data to those which are necessary or useful for switching services.”

“Personal data” includes data observed from the activities of users

As before, the WP29 provides guidance on the scope of the right to data portability under Article 20(1) of the GDPR, which includes data that is: (1) personal data concerning the data subject, and (2) which the data subject has provided to a data controller. The revised document reiterates that the WP29 interprets “has provided” broadly. Beyond data that is “knowingly and actively” provided by a data subject, “data ‘provided by’ the data subject also result from the observation of his activity.” This clarifies the old guidance, which instead described data “generated by and collected from the activities of users.” The revised guidance continues, “As a consequence, the WP29 considers that to give its full value to this new right, ‘provided by’ should also include the personal data that are observed from the activities of users such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities.”

Third-party data ported to a new controller may not be used by that controller for its own purposes

The revised guidance provides additional clarity as to how data controllers should avoid adversely affecting the rights and freedoms of third parties when complying with the right to data portability. As before, the WP29 believes that a “receiving” data controller’s processing of third-party data would likely fall under the Article 6(1)(f) legitimate interest, particularly when the controller provides a service that allows the data subject “to process personal data for a purely personal or household activity.” The revised document clarifies that, “The processing operations initiated by the data subject in the context of personal activity that concern and potentially impact third parties remain under his or her responsibility, to the extent that such processing is not, in any manner, decided by the data controller.” 

The WP29 also outlines specific processing that it views as prohibited in such a situation: (1) marketing products and services to third-party data subjects, (2) using data provided by a data subject to “enrich the profile of the third-party data subject and rebuild his social environment, without his knowledge and consent” and (3) using such data to “retrieve information about such third parties and create specific profiles, even if their personal data are already held by the data controller.” The latter two examples are new additions to the revised document. Regarding the second example, a new footnote explains: “A social networking service should not enrich the profile of its members by using personal data transmitted by a data subject as part of his right to data portability, without respecting the principle of transparency and also making sure they rely on an appropriate legal basis regarding this specific processing.”

Controllers should not hinder data portability

The revised WP29 guidance includes an additional section describing the practices that may constitute “hindrance” of data portability, including “any legal, technical or financial obstacles placed by data controller in order to refrain or slow down access, transmission or reuse by the data subject or by another data controller. For example, such hindrance could be: fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardization or accreditation demand.” A footnote further clarifies that legitimate obstacles may arise (such as third-party rights or data-security concerns) but it is “the responsibility of the data controller to justify why such obstacles would be legitimate and why they do not constitute a hindrance.” This section also provides significant further guidance about technical feasibility limitations on data transfers and the technical paths that data controllers should explore for making portable data available to the data subject.

Lead Supervisory Authorities

Helpfully, the Annex at the end of this guidance document has been updated to more clearly guide the steps in selecting a lead supervisory data authority. 

A controller’s main establishment has the power to both make and implement decisions about the purposes and means of processing

The revised guidance clarifies that a controller’s central administration in the EU is not only “the place where decisions about the purposes and means of the processing of personal data are taken,” as originally outlined in the draft guidance, but also that “this place has the power to have such decisions implemented.”

The original guidance allowed for the possibility that a company may have multiple “lead authorities” if decisions about different types of data processing are made in different Member States by different members of the organization. The revised document reiterates that this need not be the case. “It is worth recalling, that where a multinational company centralises all the decisions relating to the purposes and means of processing activities in one of its establishments in the EU (and that establishment has the power to implement such decisions), only one lead supervisory authority will be identified for the multinational.”

Joint controllers

The WP29 acknowledges that the GDPR is silent as to how to determine the lead supervisory authority when controllers jointly determine the purpose and means of processing, as provided in Article 26. In order to benefit from the one-stop-shop principle, the WP29 recommends that joint controllers “should designate (among the establishments where decisions are taken) which establishment of the joint controllers will have the power to implement decisions about the processing with respect to all joint controllers. This establishment will then be considered to be the main establishment for the processing carried out in the joint controller situation.”

Authorities may rebut the controller’s designation of its lead authority

As described in the original draft, the data controller identifies its own main establishment, and therefore which supervisory authority is its lead authority, which can be “challenged by the respective supervisory authority concerned afterwards.” The revised guidance provides further details of this process: “The lead supervisory authority, or concerned authorities, can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.”

A processor may have to deal with multiple supervisory authorities

As outlined in the original draft, when a case involves both a controller and a processor, the lead supervisory authority of the controller is what counts. The revision adds language elaborating on the implications of this rule: “A processor may provide services to multiple controllers located in different Member States – for example, a large cloud-service provider. In such cases, the lead supervisory authority will be the supervisory authority that is competent to act as lead for the controller. In effect, this means a processor may have to deal with multiple supervisory authorities.”

Author
Headshot Cobun Zweifel-Keegan, CIPP/US, CIPM IAPP Staff Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment Roger Edwards • Apr 20, 2017 
    "If you have no establishment in the EU and your decisions about the means and proposes of processing, your third party processor contracting decisions, your strategic product development, your data security design and management, your online marketing strategies, your senior management oversight meetings and your data breach response team, are all carried out or centered in your headquarters country (which is incidentally where the controller's main establishment is located), there may in fact just be some limited circumstances where the DPO might actually be more effective in its statutory role if also located there rather than being close to the local regulator."  Expecting to hear some healthy debate on these radical notions at the next conference.
  • comment Roger Edwards • Apr 21, 2017 
    Interestingly, an EU-based DPO, especially a professional consulting organization, faced with an appointment as DPO to an organization for which 95% of the operational control, management activity, processing decisions, strategic product design is conducted in the foreign headquarters, but which has EU located sales subsidiaries must carefully consider it's Article 39 duties.  If access to local sales entities, but minimal direct access to headquarters and operations center diminishes it's effectiveness​ as a DPO it's overarching obligation to maximize the corporation's compliance an ethical analysis must be conducted notwithstanding the WP 29 recommendation for entities with an EU establishment.  If a DPO accepts such a situation and a material non-compliance occurs under his or her watch, does the company have a valid action against the DPO for failing to  effect proper oversight (if it can show the EU based DPO could reasonably exercise only nominal and limited remote oversight)?  Does the DPO have an ethical obligation not to undertake appointments it cannot fully support?  If it does so, will that failure invalidate protections from liability.  As a separate question, if an EU based DPO accepts a long distance appointment and requests frequent flights and hotel stays to attend meetings at headquarters, does this become an issue of a controller not providing a DPO with necessary resources? Clearly company will need to make a careful analysis prior to it's initial selection.
Related Stories
Notes from the Asia-Pacific region, 19 April 2024
Hello, privacy pros. It was great to reconnect with old friends at the IAPP Global Privacy Summit in Washington, D.C., and meet some new faces too. Back from Summit, brimming with joy and excitement, I'm diving back into the usual busy life as a privacy lawyer in Beijing. In recent weeks, China iss...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
Recent Comments