EU Regulators Issue First GDPR Guidance

The panel of European national privacy regulators, known as the ‘Article 29 Working Party’, has issued its first set of substantive guidance addressing issues under the EU General Data Protection Regulation (GDPR). The GDPR, scheduled to enter into force in May 2018, constitutes a sweeping reform in the areas of data protection and data privacy. The GDPR applies not only to data handlers established in the EU, but also to many businesses established outside the EU that process personal data of EU data subjects. 

The first guidelines discuss the GDPR’s newly established ‘Right to Data Portability’. It extends data subjects a dual right to receive personal data which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to have that data transmitted to another data controller. The guidance clarifies that this new right is limited to personal data that the data subject actively or passively provided. It excludes derivative data created or inferred by the data controller. It also excludes data collected from third party sources. The guidance encourages data controllers to develop mechanisms to facilitate data portability requests such as download tools and Application Programming Interfaces. {See the guidelines and FAQ on data portability}.
 
The second guidelines explain the GDPR’s newly established role of an organizational Data Protection Officer (DPO). DPOs are primarily entrusted with monitoring an organization’s compliance with the GDPR, performing data protection impact assessments and overseeing record-keeping. The guidance explains that organizations should appoint DPOs having an appropriate level of expertise in national and European data protection laws and practices as well as an in-depth understanding of the GDPR. {See the guidelines and FAQ on Data Protection Officers}.
 
The final set of guidelines address the GDPR’s newly established arrangements for a ‘Lead Supervisory Authority’, also known as the ‘One Stop Shop’ principle. The guidelines clarify the triggering criteria for the ‘One Stop Shop’ mechanism and explain the method for determining which authority is to be named the Lead Supervisory Authority. Importantly, the guidelines reiterate that the ‘One Stop Shop’ mechanism applies only to data controllers with an establishment in the EU. {See guidelines and FAQ on Supervisory Authorities}.