Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 (pdf), Annex 1 – Examples of existing EU DPIA frameworks, Annex 2 – Criteria for an acceptable DPIA
Art. 29 WP
- Guidelines on Data Protection Officers (‘DPOs’), Adopted on 13 December 2016, As last Revised and Adopted on 5 April 2017 (WP 243 rev.01)
- Guidelines on the right to data portability, Adopted on 13 December 2016, As last Revised and adopted on 5 April 2017 (WP 242 rev.01)
- Guidelines for identifying a controller or processor’s lead supervisory authority, Adopted on 13 December 2016, As last Revised and Adopted on 5 April 2017 (WP 244, rev.01)
Microsoft has introduced an expanded settings menu in Windows 10 that gives users installing the software more information on data privacy. However, the EU’s Article 29 Working Party wonders if the changes include enough disclosures to customers. The WP29 has asked for more explanation of Microsoft’s processing strategy of personal data for various purposes, including advertising.
Less than 15 months left before the new GDPR comes into force, Microsoft also announced this week its promise to be compliant with the GDPR across all cloud services by the May 2018 deadline. Brendon Lynch stated that Microsoft is committed to principles of cloud trust, privacy, transparency and compliance. He also added that, while Microsoft is committed to “helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility.” Lynch also acknowledged that the regulation’s new requirements will include greater access and deletion rules, clear risk assessment and data breach notification procedures, as well as data protection officer roles for many organizations.
Source: IAPP News
Privacyofficers.at veröffentlicht Stellungnahme betreffend “Guidelines on Data Protection Officers” der Artikel-29-Datenschutzgruppe
Die Artikel-29-Datenschutzgruppe hat im Dezember 2016 u.a. “Guidelines on Data Protection Officers (‘DPOs’)” veröffentlicht, die (bis Ende Jänner 2017) kommentiert werden können. Privacyofficers.at hat diese Möglichkeit genutzt und folgende Stellungnahme abgegeben:
In general, Privacyofficers.at welcomes the approach of the WP29 to further illustrate the GDPR and create a benefit for the addressees in the practical adoption of its provisions. Nevertheless, we would like to draw your attention to three issues which we find to be debatable in the view of a practical implementation:
1. Section 3.2. of the Guidelines (“Necessary resources”) – last bullet point:
The WP29 clarifies that an external DPO can fulfill the duties of a DPO for a data controller/processor either by a single representative or by a team. We welcome this approach; however, the option of carrying out the tasks of a DPO as a team should also be open to internal DPOs. We are of the opinion that controllers/processors should be free to appoint a single DPO or a team/board with the tasks of a DPO as long as all team members benefit from the provisions of the GDPR regarding dismissal etc. Therefore, we would recommend a clarification of the Guidelines in this regard.
2. Section 3.4. of the Guidelines (“Dismissal or penalty for performing DPO tasks”):
The WP29 argues that the cancellation of a contract with an external DPO shall only be possible and legally enforceable in the case the external DPO is in breach of its duties of being a DPO. This interpretation could be in conflict with the principle of freedom of contract. Each controller should be able to engage an external DPO but also to terminate the assignment of an external DPO in compliance with the relevant contract and applicable law. An external DPO is, in essence, a service provider commissioned to perform the controller´s / processor’s duties. The strict interpretation by the WP29 would lead to a situation where a controller cannot switch from an external DPO to an internal DPO unless the external DPO has failed to fulfill its duties under the GDPR. We are of the opinion that such an interpretation is not in line with the GDPR requirements and the principle of freedom of contract. We would therefore kindly ask for a re-evaluation or clarification of the Guidelines as regards this matter.
3. Section 4.4. of the Guidelines (“The DPO´s role in record-keeping”):
We regard the possibility of assigning the task of a data controller/processor to keep records of processing activities to the DPO, as the WP29 suggests, very critical for four reasons:
a. The DPO should be able to perform its duties and rights in full autonomy and without any interference by the controller / processor. On top of that, other tasks assigned to the DPO shall not lead to any conflicts of interest in executing the task of a DPO. It is foreseeable that a task principally assigned to the data controller, where noncompliance might lead to a fine as imposed by Art. 83, might create conflicts and could endanger the full autonomy of DPOs, for example in case the DPO does not follow instructions given by the data controller regarding the records to “cover-up” data processing not fully in line with the GDPR.
b. Furthermore, the DPO has – from the viewpoint of the tasks assigned by the GDPR- a sole control and advisory function, and is not responsible for the controller’s / processor`s compliance with the GDPR. Should the DPO be mandated to keep the records of all processing activities of the controller, this is in conflict with the nature of these tasks assigned and would very likely lead to a conflict of interests.
c. Also from a practical perspective the assignment of this task causes certain issues: Such a register has to follow specific requirements of IT or other responsible departments within a controller’s organization. It is not ensured that a DPO is receiving complete information of all processing activities within a controller’s business as the DPO is not responsible to have a complete list/register of all processing operations. The DPO has the role of an advisor and supervisor but not that of an “implementer”. This obligation lies with the controller / processor and not with the DPO.
d. Finally, the autonomy of the DPO opens up the possibility to impose fines on the data controller based on the activities of the DPO – while having only very limited influence over the DPO. As the GDPR is very clear on this, we therefore ask the WP29 to reconsider its opinion regarding the assignment of record-keeping of the processing activities to the DPO.
As the GDPR is very clear on this, we therefore ask the WP29 to reconsider its opinion regarding the assignment of record-keeping of the processing activities to the DPO.
From the press release: Consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:
- Guidelines and FAQs on the right to Data Portability,
- Guidelines and FAQs on Data Protection Officers (DPO) and
- Guidelines and FAQs on the Lead Supervisory Authority. […]
To complement this, the WP29 welcomes any additional comments that stakeholders may have on the adopted guidelines until the end of January 2017. The comments on guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and email@example.com. Finally, the guidelines on Data Protection Impact Assessments and Certification will be ready in 2017.