The Article 29 Working Party (WP29), at the June plenary meeting, examined certain critical matters with regards to :
- the implementation of the General Data Protection Regulation (GDPR),
- international data transfer (including Privacy Shield)
- adopted an updated opinion on use of personal data in employment environment and more particularly employee monitoring and
- discussed other issues (e.g. letter to Whatsapp).
1.GDPR : Adoption of guidelines
The WP29 will adopt the final version of the Data Protection Impact Assessment (DPIA) guidelines at the October plenary meeting.
Guidelines relating to consent, profiling, transparency, data breach notifications and data transfers should be adopted by December 2017.
The Working Party also continued its work on the draft certification guidelines.
The plenary meeting also worked on the organization and structure of the European Data Protection Board (EDPB) to be ready by May 25, 2018 and on the tools necessary for the cooperation between DPAs under the new framework.
2.International data transfers
2.1. Privacy Shield– Joint Annual Meeting
The WP29 adopted a letter addressed to the European Commission sharing its views and recommendations on the operational and substantive modalities of the Joint Review of the recent US-EU agreement on data transfers.
The Joint Review will take place in September 2017 in the US with the participation of 8 WP29 members.
2.2. International transfers between Financial authorities
The WP29 adopted a letter addressed to the European Securities and Markets Authority (ESMA) providing guidance and recommendations on the way to frame international transfers of personal data under Article 46 of the GDPR, to third country authorities in countries which have not been recognized by the European Commission as offering an adequate level of data protection.
2.3. Other Issues regarding data transfer
The WP 29 has planned:
- to update the opinion on international transfers of personal data between public bodies for administrative cooperation purposes in the light of the GDPR ;
- to review the data protection clauses developed by national tax authorities to accompany the Common Reporting Standard (CRS) developed by the OECD in 2014, on the inter-state exchange of information to address the issue of tax evasion ;
- to review the recent discussion paper from the European Commission’s services on cross-border access to electronic evidence. This document presented to the Ministers of Justice of the EU for discussion points out the difficulties and shortcomings of the current legal systems of the Member States to ensure swift and efficient access to electronic evidence detained by private companies in the context of criminal investigations ;
- to provide further guidance on the Police and Justice Directive. Discussions continue on the future of supervision models related to EU bodies, agencies, offices and IT systems in the area of law enforcement.
3. Employee monitoring
The WP29 has also updated its opinion on employee monitoring and more generally use of employee data in the work environment. Since the release of its last opinion on the matter in 2001, a number of new technologies have been adopted that enable more systematic processing of employees’ personal data at work, creating significant new challenges to privacy and data protection.
This opinion is therefore an update and is aimed at making a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees.
(i) The WP29 is preparing a letter to be addressed to WhatsApp on key issues of concern including consent and legitimate interests including proposed solutions to remedy to areas of non-compliance.
(ii) Several delegations presented to the plenary their national implementation measures and initiatives for the preparation of the GDPR (e.g. social media communication strategies, in-house trainings and national GDPR guidelines for small and medium sized companies (SMEs)). The objective of this exercise is to create a common library and to mutualize the resources in relation to the GDPR preparations.