TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | WP29’s final word on DPOs, data portability, and the one-stop shop Related reading: Martin Abrams: A look back at a career in information privacy and consumer policy



On April 5, 2017, the Article 29 Working Party adopted revised versions of its guidance on data protection officers, the right to data portability, and identifying a lead supervisory authority under the GDPR. The IAPP reported on the draft guidance documents when they were first published. The revised guidance documents incorporate changes based on the WP29’s consultation with stakeholders after publication of the original drafts. Generally, the changes are minor, but the WP29 has provided a few significant clarifications.

We have grouped them below to highlight those changes privacy pros should particularly note:

DPO Readiness

Much of the WP29’s guidance on the requirement to appoint a DPO was not significantly changed in this revision. Specifically, the revision does not significantly change the WP29 guidance on the definition of “core activities,” “large scale,” “regular and systematic monitoring,” or “public authority or body.” However, there are a few notable adjustments.

The DPO should be located in Europe

The revised guidance adds the following recommendation about the location of the DPO: “To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union.” As a possible exception, the WP29 allows that in some situations, “where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.”

Scope of a DPO’s responsibility

The revised document adds the following: “The DPO, whether mandatory or voluntary, is designated for all the processing operations carried out by the controller or the processor.”

The DPO reports directly to the highest management level

Generally, the revised guidance does not change the WP29’s recommendations regarding DPO qualifications. But the WP29 has added language drawing attention to the requirement under Article 38(3) that the DPO “shall directly report to the highest management level of the controller or the processor.” The WP29 explains, “Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.”

Data-driven marketing activities

The revised guidance adds “data-driven marketing activities” to the WP29’s list of example activities that may constitute a “regular and systematic monitoring” of data subjects, which, if engaged in on a “large scale” requires the designation of a DPO. The list already included examples ranging from operating a telecommunications network to monitoring wellness data via wearable devices.

Data Portability

Competition is not the primary purpose

Removing language about facilitating switching as the “primary aim” of data portability, “thus enhancing competition between services,” the revision clarifies that the “GDPR is regulating personal data and not competition.” Therefore, any benefits to competition are incidental. “In particular, article 20 does not limit portable data to those which are necessary or useful for switching services.”

“Personal data” includes data observed from the activities of users

As before, the WP29 provides guidance on the scope of the right to data portability under Article 20(1) of the GDPR, which includes data that is: (1) personal data concerning the data subject, and (2) which the data subject has provided to a data controller. The revised document reiterates that the WP29 interprets “has provided” broadly. Beyond data that is “knowingly and actively” provided by a data subject, “data ‘provided by’ the data subject also result from the observation of his activity.” This clarifies the old guidance, which instead described data “generated by and collected from the activities of users.” The revised guidance continues, “As a consequence, the WP29 considers that to give its full value to this new right, ‘provided by’ should also include the personal data that are observed from the activities of users such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities.”

Third-party data ported to a new controller may not be used by that controller for its own purposes

The revised guidance provides additional clarity as to how data controllers should avoid adversely affecting the rights and freedoms of third parties when complying with the right to data portability. As before, the WP29 believes that a “receiving” data controller’s processing of third-party data would likely fall under the Article 6(1)(f) legitimate interest, particularly when the controller provides a service that allows the data subject “to process personal data for a purely personal or household activity.” The revised document clarifies that, “The processing operations initiated by the data subject in the context of personal activity that concern and potentially impact third parties remain under his or her responsibility, to the extent that such processing is not, in any manner, decided by the data controller.” 

The WP29 also outlines specific processing that it views as prohibited in such a situation: (1) marketing products and services to third-party data subjects, (2) using data provided by a data subject to “enrich the profile of the third-party data subject and rebuild his social environment, without his knowledge and consent” and (3) using such data to “retrieve information about such third parties and create specific profiles, even if their personal data are already held by the data controller.” The latter two examples are new additions to the revised document. Regarding the second example, a new footnote explains: “A social networking service should not enrich the profile of its members by using personal data transmitted by a data subject as part of his right to data portability, without respecting the principle of transparency and also making sure they rely on an appropriate legal basis regarding this specific processing.”

Controllers should not hinder data portability

The revised WP29 guidance includes an additional section describing the practices that may constitute “hindrance” of data portability, including “any legal, technical or financial obstacles placed by data controller in order to refrain or slow down access, transmission or reuse by the data subject or by another data controller. For example, such hindrance could be: fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardization or accreditation demand.” A footnote further clarifies that legitimate obstacles may arise (such as third-party rights or data-security concerns) but it is “the responsibility of the data controller to justify why such obstacles would be legitimate and why they do not constitute a hindrance.” This section also provides significant further guidance about technical feasibility limitations on data transfers and the technical paths that data controllers should explore for making portable data available to the data subject.

Lead Supervisory Authorities

Helpfully, the Annex at the end of this guidance document has been updated to more clearly guide the steps in selecting a lead supervisory data authority. 

A controller’s main establishment has the power to both make and implement decisions about the purposes and means of processing

The revised guidance clarifies that a controller’s central administration in the EU is not only “the place where decisions about the purposes and means of the processing of personal data are taken,” as originally outlined in the draft guidance, but also that “this place has the power to have such decisions implemented.”

The original guidance allowed for the possibility that a company may have multiple “lead authorities” if decisions about different types of data processing are made in different Member States by different members of the organization. The revised document reiterates that this need not be the case. “It is worth recalling, that where a multinational company centralises all the decisions relating to the purposes and means of processing activities in one of its establishments in the EU (and that establishment has the power to implement such decisions), only one lead supervisory authority will be identified for the multinational.”

Joint controllers

The WP29 acknowledges that the GDPR is silent as to how to determine the lead supervisory authority when controllers jointly determine the purpose and means of processing, as provided in Article 26. In order to benefit from the one-stop-shop principle, the WP29 recommends that joint controllers “should designate (among the establishments where decisions are taken) which establishment of the joint controllers will have the power to implement decisions about the processing with respect to all joint controllers. This establishment will then be considered to be the main establishment for the processing carried out in the joint controller situation.”

Authorities may rebut the controller’s designation of its lead authority

As described in the original draft, the data controller identifies its own main establishment, and therefore which supervisory authority is its lead authority, which can be “challenged by the respective supervisory authority concerned afterwards.” The revised guidance provides further details of this process: “The lead supervisory authority, or concerned authorities, can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.”

A processor may have to deal with multiple supervisory authorities

As outlined in the original draft, when a case involves both a controller and a processor, the lead supervisory authority of the controller is what counts. The revision adds language elaborating on the implications of this rule: “A processor may provide services to multiple controllers located in different Member States – for example, a large cloud-service provider. In such cases, the lead supervisory authority will be the supervisory authority that is competent to act as lead for the controller. In effect, this means a processor may have to deal with multiple supervisory authorities.”


If you want to comment on this post, you need to login.

  • comment Roger Edwards • Apr 20, 2017
    "If you have no establishment in the EU and your decisions about the means and proposes of processing, your third party processor contracting decisions, your strategic product development, your data security design and management, your online marketing strategies, your senior management oversight meetings and your data breach response team, are all carried out or centered in your headquarters country (which is incidentally where the controller's main establishment is located), there may in fact just be some limited circumstances where the DPO might actually be more effective in its statutory role if also located there rather than being close to the local regulator."  Expecting to hear some healthy debate on these radical notions at the next conference.
  • comment Roger Edwards • Apr 21, 2017
    Interestingly, an EU-based DPO, especially a professional consulting organization, faced with an appointment as DPO to an organization for which 95% of the operational control, management activity, processing decisions, strategic product design is conducted in the foreign headquarters, but which has EU located sales subsidiaries must carefully consider it's Article 39 duties.  If access to local sales entities, but minimal direct access to headquarters and operations center diminishes it's effectiveness​ as a DPO it's overarching obligation to maximize the corporation's compliance an ethical analysis must be conducted notwithstanding the WP 29 recommendation for entities with an EU establishment.  If a DPO accepts such a situation and a material non-compliance occurs under his or her watch, does the company have a valid action against the DPO for failing to  effect proper oversight (if it can show the EU based DPO could reasonably exercise only nominal and limited remote oversight)?  Does the DPO have an ethical obligation not to undertake appointments it cannot fully support?  If it does so, will that failure invalidate protections from liability.  As a separate question, if an EU based DPO accepts a long distance appointment and requests frequent flights and hotel stays to attend meetings at headquarters, does this become an issue of a controller not providing a DPO with necessary resources? Clearly company will need to make a careful analysis prior to it's initial selection.