July 22, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

WP29 Publishes Guidance on Important GDPR Concepts: DPOs, Data Portability and Lead Supervisory Authority

On December 16, 2016, the Article 29 Data Protection Working Party (“WP29”) published guidelines and FAQs on the forthcoming General Data Protection Regulation (the “GDPR”) addressing the following three key issues:

  1. Data Protection Officers (“DPOs”) (WP 243)
  2. The right to “data portability” (WP 242)
  3. The identification of the lead supervisory authority (WP244)

The published guidelines are based on input from various stakeholders, including the workshop (Fablab) that the WP29 organised in July 2016 (for the summary of the discussions at the Fablab, see here).  


The WP29 encourages organisations to designate a DPO on a voluntary basis. In the guidelines WP29 provides more detail regarding the designation requirements and further defines what is meant by “core activities”, “large scale”, and “regular and systematic monitoring”.   Also addressed are the conditions necessary for the designation of a single DPO for a group of related companies, the required expertise of the DPO (which may be an organisation’s employee or appointed via a service contract), the tasks a DPO is required to undertake, and issues relating to DPOs of processors.

Right to Data Portability

The WP29 adopts a very broad interpretation of the scope of the right to data portability, suggesting the right does not only cover data provided knowingly and actively by the data subject (for example, by completing an online form), but also data generated by and collected from the activities of users (basically raw data collected by virtue of the use of the service or the device as opposed to inferred or derived data, such as data generated through the subsequent analysis of the data subject through the use of cookies).

The WP29 distinguishes two elements of the right to data portability, namely (i) the right to receive personal data and store it further for personal use on a device, and (ii) the right to transmit the data to another controller, without hindrance. The right to data portability is limited to cases where the processing of personal data is based on consent or contract, but the WP29 considers it a good practice in other cases. The personal data must concern the data subject; in other words, anonymous data is out of scope, whilst pseudonymous data is within scope if it can be clearly linked to a data subject.

 Identifying the Lead Supervisory Authority

The guidelines, which also contain a useful checklist for controllers and processors, explains how to determine the lead or otherwise competent Supervisory Authority (“SA”) in a number of different scenarios, including by way of examples. Importantly, the WP29 recognises that there will be borderline and complex situations in which the determination of the lead SA will be difficult; if the SAs have conflicting view, the European Data Protection Board will need to take a decision.  The WP29 notes that companies without an “establishment” within the EU cannot benefit from the “one stop shop” but must deal with the local SAs in every Member State they are active in.

 Next Steps

Stakeholders have until the end of January 2017 to comment on the published guidelines, and in 2017, the WP29 will publish guidelines on Data Protection Impact Assessments and Certification.  In April 2017, a new Fablab on GDPR with interested stakeholders will occur, and in May 2017, the WP29 will host a meeting with its international counterparts.

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Monika Kuschewsky, Information Privacy, Squire Patton Boggs Law FIrm

Monika Kuschewsky is a German Rechtsanwältin and qualified as a Certified Information Privacy Professional/Europe (CIPP/E) and Betrieblicher Datenschutzbeauftragter (German company data protection officer) (GDDcert.). Monika is the general editor of Data Protection & Privacy − International Series, now in its 3rd edition.

+322 627 11 11
Ann J. LaFrance, Squire Patton Boggs, Cybersecurity Matters Lawyer, Telecommunications Attorney

Ann LaFrance co-leads our Data Privacy & Cybersecurity practice. Drawing on more than 20 years of industry experience, Ann advises clients on telecommunications regulation and new media policy, competition law, dispute resolution and European Union ('EU') data protection matters.

44 20 7655 1752
Gretchen A. Ramos, Squire Patton Boggs, complex commercial disputes lawyer, Client Services Attorney

Gretchen Ramos, CIPP/US, CIPP/E, is an aggressive litigator with a long track record in complex commercial disputes. In addition to her prodigious legal skills, Gretchen brings a direct, no-nonsense approach to client service, and uses her creativity to simplify matters for in-house counsel with dozens of other cases – and little time – on their hands.

Gretchen is known for her ability to get to the heart of any dispute. She can quickly identify the key issues, eliminate the extraneous ones, and draw out a strategic roadmap that is both cost-...

415 743 2576