Following its plenary meeting held on the 12th and 13th of December, the WP29 (group of the European data protection authorities) has released its first guidelines providing its interpretation of the GDPR provisions on the following :

Data portability

Data Protection Officer Appointment

Lead Supervisory Authority

As a summary:

Data Portability is the right for an individual to obtain a copy of their personal information provided to the data controller in a format that enable them to use it or to transfer it either to another data controller for the latter to provide its service or  to the concerned individual for its own uses (the scope of this right is different from the right of access which has a different purpose and concerns any individual’s personal data held by the data controller even not provided by the individual directly).

A Data Protection Officer must be appointed where:

– a the controller is a public authority or body;

– the core activities of the controller or processor consist of processing operations which required regular and systematic monitoring of data subjects on a large scale or special categories of personal data relating to criminal convictions and offences.

Given the position of the WP29 in its guidelines, it seems that most companies with a big customer’s database using profiling for direct marketing purpose will be concerned and should appoint a Data Protection Officer.

The guideline relating to the lead supervisory authority provides more details as to how to apply the one stop shop rules. As already said in the one stop shop article, it is necessary to refer to only one Data Protection Authorities when it is about a cross border processing (processing having effect in more than one Member States). These provisions apply to both controllers and processors located within the EU. Any controller outside of the EU should not benefit from these provisions and should refer to any concerned Data Protection Authority.

More details on these guidelines will be provided in the GDPR section very soon. In the meantime you can read the full guideline by clicking on the link at the top of the article.

GDPR: First Guidelines Released

This post is also available in fr_FR.

Tagged on: