26 Apr 2017
The Article 29 Data Protection Working Party (the "WP29") published new guidance on Data Protection Impact Assessment ("DPIA") relating to the interpretation of the General Data Protection Regulation (the "GDPR"). Additionally, the WP29 published amended guidance on the three topics covered in the guidelines published on 15 December 2016. We have provided an analysis in D&I's previous Data Protection Alert here.
The European Union General Data Protection Regulation (EU) 2016/679 ("GDPR") entered into force on 24 May 2016 and shall apply from 25 May 2018.
The full effects of the GDPR are yet to be clarified by the WP 29's (the group of regulators which will later form the European Data Protection Board) guidance. The first guidance was published during the end of last year and further guidance was published earlier this month. Guidance on various other topics will follow during the course of this year.
We at D&I will keep you posted on the developments as they unravel and are happy to help with any questions you may have regarding the GDPR and its effects.
During its last meeting, the WP29 completed guidelines on:
Data Protection Impact Assessment (full guidelines here).
Additionally, the WP29 published further/amended guidance on the topics covered in the guidelines published at the end of 2016:
Data Portability (full guidelines here and our analysis of the original guidelines here);
Data Protection Officers (full guidelines here and our analysis of the original guidelines here); and
Lead Supervisory Authority (full guidelines here and our analysis of the original guidelines here).
You can find the press release published on April 2017 here.
We have summarised the most important aspects introduced by the guidelines and their effects on businesses.
New Guidelines on the Data Protection Impact Assessment (DPIA)
How Is Your Business Affected?
WP29 provides an useful tool that helps to determine the situations where there is an obligation to draft the DPIA. The criteria introduced in the guidelines are fairly broad and thus it seems that a DPIA is mandatory in many situations. The format of the DPIA is not pre-set and the WP29 provides guidance on the aims and purposes of the DPIA rather than a specific form. However, in the annexes of the guideline, the WP29 provides a list of existing EU DPIA frameworks and the criteria that a controller can use to determine whether a DPIA or a methodology to carry such DPIA is sufficiently comprehensive to comply with the GDPR.
What Is the Data Protection Impact Assessment?
Article 35 of the GDPR provides that the controller has, in certain situations, an obligation to carry out an assessment of the impact of the processing to data subjects (the "Data Protection Impact Assessment").
The minimum contents of the assessment as well as the triggers are set out in the GDPR. However, as the GDPR leaves many questions open it is necessary to seek further guidance.
When Is a DPIA Mandatory?
According to the GDPR, the DPIA is mandatory when processing is "likely to result in a high risk to the rights and freedoms of natural persons". The controller is responsible for assessing the necessity of drafting a DPIA. However, the WP29 introduces criteria that controllers should consider when evaluating whether they have the obligation to carry out the DPIA. As a rule of thumb, if the processing operations meet less than two criteria of the ones listed by the WP29 (e.g. profiling, systematic monitoring, processing on a large scale, data concerning employees), the DPIA may not be required. The criteria are a useful tool for the controller to determine whether the DPIA must be made. On the other hand, where processing is not likely to result in a high risk to the rights and freedoms of data subjects, the DPIA is not required. Furthermore, a DPIA is not mandatory for every new processing activity, as where the processing activity is previously covered with a DPIA that DPIA fulfils the requirement set forth in the GDPR. Additionally, the DPIA is not mandatory when the obligation is exempted in the member state law or where the processing activity is included in an optional list of processing operations that do not require a DPIA, established by a supervisory authority.
The obligation to conduct a DPIA applies to the processing operations created, or changed significantly, after the GDPR becomes applicable on 25 May 2018. However, as the WP29 emphasises that the DPIA must be revised where necessary, and updated on a regular basis, the controller should assess the need to conduct a DPIA on the processing activities before the GDPR becomes applicable.
We recommend assessing the existing and planned processing activities in the light of the criteria to determine whether there the obligation to draft a DPIA applies. Such assessment should be documented, as documentation is necessary if the DPIA is not drafted and, moreover, if the DPIA is mandatory the assessment on the necessity provides a good basis for the DPIA.
How Should the DPIA Be Carried Out?
The DPIA must be carried out "prior to the processing". The DPIA should be updated where necessary, and the WP29 emphasises that carrying out a DPIA is an ongoing process. Drafting a DPIA is solely at the controller's responsibility, but the processor should assist the controller.
The controller must "seek the views of data subjects or their representatives, where necessary". The WP29 considers that the controller should document its justification for not seeking the views of data subjects, and leaves the question on when seeking of the views is mandatory somewhat open. In practice, contacting data subjects, whether through surveys to future customers or internal studies, might be impossible in many cases. Therefore, the documentation of the decision is particularly relevant in many cases.
The Data Protection Officer, where designated, should be consulted and the WP29 finds that consulting independent experts of different professions is recommended in some situations.
What Is the Methodology to Carry Out a DPIA?
Even when the criteria for the DPIA are common, the form and the methodology are not predefined. The GDPR sets out minimum features, but their broadness enables scalability.
The DPIA is, in many ways, close to other risk management processes. However, the WP29 pointed out that, in general, risk management assesses the possible risks to the company whereas a DPIA's purpose is to assess risks to the rights and freedoms of the data subjects.
The controller has the right to determine the form and precise structure of the DPIA, but also tools, such as an ISO standard, are under way. WP29 encourages sector specific frameworks, which we will see more in the future.
When Should the Supervisory Authority Be Contacted Or DPIA Be Published?
The controller must consult the supervisory authority if it is not able to sufficiently address the identified risks.
There is no general obligation to publish the DPIA, but the WP29 encourages publishing DPIA's in whole or in part as doing so may enhance the trust on the activities of the controller.
In addition to the new guidelines on the DPIA, the WP29 published further/amended guidance on the topics already covered in a previous D&I Alert. As promised, we published an update on those guidelines.
Updated Guidelines on the Right to Data Portability
The guidelines are updated mainly with small linguistic changes and clarifications which include examples. The most important amendment in the guidelines is the WP29 further guidance on the practical aspects of the transmission of the personal data to another controller "without hindrance" and directly "where technically feasible".
What Are the Main Changes?
Firstly, even though there is no specific format to be used for the data transmitted, the "data subject has the right to transmit the data without hindrance from the controller to which the personal data have been provided". The WP29 further clarifies that the hindrance can be characterised as "any legal, technical or financial obstacles", such as fees for delivering the data or lack of interoperability or access to a data format or API. The controller has the right to refuse the transmission of data only with some legitimate obstacles e.g. related to the security of the controller's systems or rights and freedoms of others as provided in Article 20(4) of the GDPR.
Furthermore, the controller must provide the possibility to transfer the data directly to another controller "where technically feasible". WP29 points out that the transfer could be implemented through a variety of means, including secured messaging, secured WebAPI or WebPortal, and that the data subjects should be enabled to the use of personal information management systems provided by trusted third parties to store and hold the personal data. At D&I we have already seen some examples of such systems being designed, and many these kinds of service providers will possibly be on the market in the future. The controller must explain to data subjects the technical impediments for direct transmission if such transmission is not possible.
The notion that the primary aim of the data portability is to enhance competition between services is deleted. In the updated guidelines WP29 outlines that the GDPR is not regulating competition, but only personal data and that the GDPR does not limit portable data to what is necessary for switching services but may also allow new services, e.g. allowing "banks to provide additional services, under the user’s control, using personal data initially collected as part of an energy supply service".
WP29 points out that where it is clear from the data subjects request that his/her intention is to transfer the data based on a sectoral law but not on the GDPR, the data must be transmitted in accordance with such law and the GDPR does not apply to such request. However, it is important to notice that even in such situations the sectoral law does not override the right to data portability as provided by the GDPR. Therefore, the request and the application of the GDPR must be assessed on a case by case basis.
Finally, WP29 notes that the controller is acting on behalf of the data subject, and thus should set safeguards to ensure that the data is transmitted in accordance with data subjects wishes (e.g. only personal data the data subject wants to transmit is transmitted).
Finally, WP29 points out that the receiving data controllers are not obliged to accept and process personal data transmitted following a data portability request. Accordingly, they should ensure that they have the legal basis for the processing of the received data. However, we find that companies should not only ensure that they can comply with the obligation to transmit the data but also ensure that they can take the best out of the data subjects' possibility to transfer their data to be processed by the company.
Updated Guidelines on Data Protection Officers
The update made by the WP29 took a very practical approach in regards to the position of the DPO. The updated guidelines provide further insight on the appointment, performance and qualities of a DPO. The most important amendment in the guidelines is the further specification on the availability and accessibility of the DPO.
What Are the Main Changes?
The WP29 mainly clarifies the range of tasks of the DPO. According to the guidelines, the DPO is "designated for all processing operations carried out by the controller or the processor". In practice, this means that the DPO will not be designated to supervise a specific data processing operation. Instead, the DPO will be in charge of all data processing operations within the organisation. The WP29 further specifies, in multiple occasions, that the DPO may have the help of a team, which means that organisations are free to create a DPO unit with multiple employees.
Additionally, the WP29 focusses on the availability and accessibility of the DPO. According to the guidelines, the DPO must be available, "whether physically on the same premises as employees" or "via a hotline or other secure means of communication". Furthermore, to ensure the DPO's accessibility, the WP29 recommends that the "DPO be located within the European Union, whether or not the controller or processor is established in the European Union". However, it is possible that, in some cases, a DPO may be able to carry out his/her activities if located outside the European Union.
The DPO must be able to perform his/her tasks while bound by secrecy and confidentiality. Moreover, the DPO should be given the possibility to report to the highest management level (for example, board of directors and through the DPO's annual report).
As can be concluded, the emphasis put on the tasks of the DPO originated more comments by the WP29 on the DPO's conflict of interests rules. As most organisations will designate an internal DPO, the WP29 concluded that senior management positions (for example, CEO, COO, CFO, Head of Marketing, Head of HR, Head of IT) are conflicting positions.
Finally, the WP29 confirms the ability of the DPO to seek further guidance and to consult the supervisory authorities while respecting the obligation of secrecy/confidentiality.
Last but not least, the guidance on the DPO includes an Annex with "easy-to-read" answers to the key questions that will reply to most of the doubts regarding DPO's. We recommend reading the Annex to this guidance before making a decision on the appointment of a DPO.
Updated Guidelines on Identifying a Controller's or Processor's Lead Supervisory Authority
WP29 provides more clear guidance on how to identify the lead supervisory authority. In the revised annex WP29 provides a list of the questions that aim to guide the identification of the lead supervisory authority.
What Are the Main Changes?
First and foremost, the amended guidelines provide more practical guidance as the annex including the questions to guide the identification of the lead supervisory authority is revised to a more practical level.
WP29 provides further elaboration on the application of the term main establishment. WP29 outlines that the main establishment is not just the place where decisions on the processing activities are taken but, in addition, this place has to have the power to have such decisions implemented. WP29 further adds that where a multinational company centralises all the decisions regarding the processing to one establishment in the EU, "only one lead supervisory authority will be identified to the multinational".
The GDPR requires joint controllers to determine their respective responsibilities but does not give guidance on the determination of the lead supervisory authority for joint controllers. WP29 recommends that in order to benefit from the one-stop-shop principle, joint controllers should determine the main establishment.
As pointed out in the original guidelines, the GDPR does not permit forum shopping. WP29 further clarifies that the authorities can rebut the controller's analysis on the lead supervisory authority.
Lastly, WP29 emphasises that the lead supervisory authority is that of the controller (as opposed to that of the processor) and, thus, some "processors may have to deal with multiple supervisory authorities". This may be the case when the processor is located outside the EU but provides services for controllers located in multiple EU Member States.
The WP29 welcomes additional comments from the stakeholders on the Data Protection Impact Assessment guidelines until 23 May 2017. In addition, the WP29 announced that more guidelines will follow, namely on Certification, Consent, Profiling and Notifications on Data Breaches. D&I will provide further insight on these when published.
As the GDPR leaves some of the issues to be decided upon by the EU Member States, not all issues are clarified on the EU level. The implementation process in Finland is under way and is lead by the Finnish Ministry of Justice. The Ministry has placed a working group to aid it in the process. In 2015, the Finnish Ministry of Justice assigned D& I to prepare a report on the impact of the Regulation on companies established in Finland.
We at Dittmar & Indrenius are happy to help with any questions you may have regarding the GDPR and its effects, and will keep you posted on the implementation process and the further clarifications from the European Data Protection Authorities.